What Is Shellshock?
The bug stems from coding mistakes in bash, a low-level computer program that’s been part of many, but not all, Unix-related systems for decades. That makes the bug mostly a problem for servers that run Unix, Linux or other similar operating-system variants, although Mac users might also have something to worry about.
The name “Shellshock” is a bit of wordplay based on the fact that bash is a “shell,” a type of program used to execute other programs. Bash, like many other shells, uses a text-based, command-line interface. (If you’re on a Mac, you can see this by opening your Terminal program.) Programmers can use bash to access another computer or computer system remotely and feed it commands.
Bash is short for “Bourne Again SHell,” a pun on Stephen Bourne, the computer-scientist author of an earlier Unix shell known simply as sh. It is compatible with every version of Unix, which made it an obvious choice for the default shell for Linux and Mac operating systems.
Bash is several decades old, and security researchers believe the Shellshock bug has lain undetected in bash for at least 22 years.
So Who’s Vulnerable?
Technically, any computer or system with bash installed is vulnerable. Since bash is installed by default on Unix systems, that includes a lot of computers.
Windows computers are safe; they don’t use bash. But if you’re using a Mac or running Linux, Ubuntu, or some other Unix flavor where bash is the default interpreter, then you could be at risk.
Just because your computer is vulnerable to Shellshock, however, doesn’t mean hackers can target it. For them to do so, they’d have to be able to access your computer’s bash program via the Internet.
If your computer is connected to the Internet through a password-protected wireless network—or physically via an Ethernet cable—you’re still basically safe. If you’re using an open, untrusted Wi-Fi connect, though, you could theoretically be vulnerable to a Shellshock exploit.
Even that’s extremely unlikely, though. The most likely targets, according to cyber security firm FireEye, are Internet servers and related large computer systems.
What About Me? Do I Have To Worry?
Eight versions of bash contain the vulnerability, from 1.13 up to the latest 4.3. To figure out which version you are using, you can open up your Terminal program and type the following:
$ bash --version
To search for the bug, type:
$ env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"
If your computer responds with “vulnerable stuff” then your version of bash is indeed executing variables like code, and therefore contains the vulnerability.
Even if your computer is vulnerable, it’s still extremely unlikely that you will be targeted through the Shellshock bug. It’s too much effort for hackers to bypass your password-protected Internet connection just to get to it.
How Do Hackers Take Advantage Of The Bug?
Let’s take the simple test people are using to check for bash vulnerability, a command you’d issue to bash in this form:
$ env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"
If bash was working correctly, that command would assign the variable X a value—the string of characters “() { :;} ; echo vulnerable”—and would print this on the screen:
stuff
The bug, however, causes bash to interpret everything following that weird collection of parentheses, brackets, colons and semicolons as another command. In this case, that command just prints the word “vulnerable” on the screen:
$ env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"
vulnerable
stuff
But it could just as easily search for sensitive bank information, erase all your files, grant a new user untrammeled access to your computer or worse. Since bash is a key component for working on computers remotely, the hacker doesn’t even need to be anywhere near the system to do it.
This is only the first of at least six bugs associated with Shellshock that security researchers have found. The latest, known to researchers as CVE-2014-7186, assists with creating denial of service attacks in which hackers can disrupt a computer’s Internet service.
How Do I Protect Myself?
That’s the tricky part. Security experts keep issuing patches, but researchers are simultaneously finding new related vulnerabilities. So “protection” is a moving target here, at least so far.
If you’re using Linux or Unix, Red Hat developed a patch over the weekend, but you have to install it over the command line and it’s got a lot of steps. This is Red Hat’s second patch for the bug but definitely not the last—as researchers keep finding more vulnerabilities associated with Shellshock, they have to keep reinforcing the patch. This patch only offers partial protection, but you can get instructions for installing it on your machine here.
Apple has maintained that the “vast majority of users” are not susceptible to the bug, only those who have customized their advanced Unix settings. To play it safe, Apple has released a patch, though security researchers have discovered new vulnerabilities associated with Shellshock that this patch doesn’t fix.
What’s The Real Danger?
Researchers have just discovered the first Shellshock botnet. (A botnet is a network of hacker-controlled computers operating maliciously as a group.) This botnet is called “wopbot” and seems to be targeting a content delivery network named Akamai as well as parts of the United States Department of Defense.
When the wopbot gets ahold of susceptible computers, it uses the aforementioned CVE-2014-7186 vulnerability to launch a denial of service attack. Akami and the DoD have managed to remove wopbot’s command and control center, but the server that runs the bot is still live and looking for targets.
Is This As Bad As Heartbleed?
The Heartbleed bug let hackers exploit the way your browser talks to a website over an encrypted channel. An attacker could theoretically exploit the bug to unravel the secure channels used by banks, e-commerce sites and other sensitive locations to steal passwords and other sensitive information.
Some security researchers say Shellshock will be “worse than Heartbleed” since bash allows hackers to explicitly inject code on remote computers, while Heartbleed only allowed them to passively listen in on server conversations they shouldn’t have had access to.
Furthermore, it was possible to patch Heartbleed immediately once security experts disclosed its existence. (Though many sites weren’t exactly fast off the mark.) Shellshock has been a different story so far.
