You may remember the commotion surrounding the Heartbleed incident several months ago? Well, Shellshock is much bigger. Shellshock, AKA the Bash Bug, is a very different kind of bug compared to Heartbleed. While Heartbleed attacked took advantage of Open SSL data validation Shellshock takes advantage by manipulating the user agent string provided to Bash.
What is the Shellshock Bash Bug?
Put simply, a potential hacker may use a program like Terminal on OS X. Using Terminal, the hacker can send a commands to Bash. Bash is then executing the commands, as it believes that these are valid.
You can check out Terminal yourself is you use a Mac. Simply go to the Finder > open the Applications folder (from the “Go” menu) > then the Utilities folder > and then open “Terminal.” It should look like this:
You should see that in the menu bar is says “Bash”. Bash is a Unix shell written by Brian Fox for the GNU Project. It stands for Bourne-Again Shell and has become an industry standard over the last two decades.
Who is at risk?
The bug appears in Bash version 1.13 and later and vulnerability is widespread. Users of Mac OS X, Unix and servers running Linux are all vulnerable. That is a lot of people. While devices running Windows are not directly at risk, routers are. These routers can been used to compromise your Windows device.
Josh Reading, Technical Director at Mobius Media, said, “Imagine if your computer was your house, and all of the houses just unlocked. Now webmasters and server professionals are rushing to relock the houses by patching their vulnerable systems.”
“A patch has been released and we have secured all of our systems, but it is up to individual webmasters to do the same.”
How vulnerable are we?
Much of the impact of the Shell Shocked vulnerability is unknown and will surface in the coming months as researchers, admins and attackers find new avenues of exploitation.
“To be honest it came as a complete lack of surprise to me,” Assurance.com.au director and veteran Unix-hand Neal Wise said. “The use of shells for CGI was discouraged since the mid 90s.”
“There will be a period of discovery where we find that this thing or that thing that we rely on in our code is vulnerable.”
Like Heartbleed, Shellshock is an example of an open source platform which has become widely used across the industry. While there this is generally a good thing, projects like Open SSL and Bash are relatively poorly funded. As a direct result of Heartbleed, companies (such as Facebook) have invested in these open source projects in order to make them more secure.