Critical Bash Bug “Shellshock” might be as big as Heartbleed

bash_bomb

Critical Bash Security Alert!

Last night, researchers disclosed a critical security bug affecting all versions of GNU Bash through 4.3. Any Linux, Unix, or Mac OS X machine running versions 1.14.0 to 4.3 of the command interpreter is vulnerable to remote execution of malicious code. NIST initially assigned the vulnerability to  CVE-2014-6271 and then to CVE- 2014-7169 to account for patching issues, and they have ranked the bug a 10.0 in terms of severity. Because the bug affects potentially hundreds of millions of machines, many are already comparing it to Heartbleed and have given it the name “Shellshock.”

Threat Mitigation

To check for the vulnerability, you can enter the following command into Bash:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Vulnerable versions will return:

vulnerable
this is a test

Non-vulnerable versions will return:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

More technical specifics on how Shellshock works can be found at the Red Hat Security Blog. Users and administrators affected by Shellshock should apply patches immediately:

Shellshock was discovered by Stephane Chazelas of Akamai. The company’s initial statement can be viewed here. As this vulnerability is an Internet-wide security issue, Emsisoft will continue to follow Shellshock as it develops and inform our users of any critical developments.

What should I do if I use Windows?

Those running Windows wondering what to do to stay protected should know that Shellshock does not directly affect their machine, but it could affect computers they interact with when they use the Internet. Unfortunately, there is nothing Emsisoft can do about this since Linux, Unix, and Mac OS X are not operating systems we support. The best we can do for now is sit tight, and hope that administrators who use these systems apply the appropriate patch as soon as possible.

Have a nice (malware-free) day!