Shellshock – Worse than Heartbleed?

published on October 3, 2014 | tagged in:

You’ve heard of it and you’re probably googling about it and wondering whether it affects you or not. It’s Shellshock – a bug they say is probably bigger than Heartbleed. What is Shellshock anyway? Here’s what you should know.

Shellshock, also known as Bashdoor, is a security bug in the widely used Unix Bash shell which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. (source: Wikipedia) What exactly does it do?

  • On September 12, Stephane Chazelas discovered this vulnerability in Bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.
  • The bug could affect any network or website that relies on Unix and Linux operating systems, including Mac OS X. This means that the Shellshock bug puts untold millions of computer networks and consumer records at risk of compromise.
  • An attacker can essentially have full access to that server. Since the attacker could take any action that the web server itself could take, the consequences could be disastrous: the compromise of a database, access to files, access to source code, data being deleted, data being changed, running programs, and/or, deploying malware to compromise the system.
  • “…this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would “game over” for large networks.” – Robert Graham, Errata Security
  • According to Waylon Grange, senior malware researcher at Blue Coat – “Any organizations or users with unpatched Linux servers are vulnerable to hackers running unauthorized code, so it’s very important that organizations download and apply the patch immediately. Blue Coat is already seeing DDOS botnets trying to utilize this vulnerability in their attacks and we expect that traffic to only continue to increase.”
  • According to reports, it could affect your computer even if you’ve never heard of it. The flaw affects embedded devices and systems. That includes things like digital watches, MP3 players and traffic lights.
  • “From an end user perspective, there will not be much impact. Apple will release a patch, but this is more about systems and servers that may be vulnerable. It is about shopping and banking providers and are they doing everything to patch their systems which can impact your data.” – IT Security Guru, Jason Steer, director of technology strategy at FireEye
  • Avoid using open, unsecured WiFi if using Mac OS X, until Apple releases a patch. Linux desktop users should update their systems as soon as possible. Windows desktop users are unaffected.
  • Many software developers have already issued patches and more are being released by the hour. Two of the most popular Linux distributions, Red Hat and Ubuntu, already have patches available.

More updates and patches are being issued on a regular basis so watch out for those to make sure your data is safe.


Note: Many of the articles on this site include affiliate links that may earn us a commission if you decide to buy the recommended product.