Shellshock Bug: 6 Key Facts

Jack the Ripper Caught: 8 Mysteries Tech Should Solve

Shellshock, the name given to a pair of vulnerabilities in Bash, a shell program distributed on Linux, Unix, and OS X systems, has been assigned a CVSS score of 10, on a 1-to-10 scale. It's as serious as security bugs get.

Worse, the difficulty of exploiting Shellshock is rated "low." Almost anyone with an interest in malicious code will be able to build malware that uses the vulnerabilities. As if to demonstrate that, security companies began detecting Shellshock malware within hours after the vulnerabilities were disclosed.

Here's what you need to know.

How long has Bash been vulnerable?
About 22 years. According to the New York Times, Chet Ramey, senior technology architect at Ohio's Case Western Reserve University, has been maintaining the Bash open source project since then and believes that Shellshock dates back to a new feature introduced in 1992.

[Are we becoming a nation of complacency? Read Shellshocked: A Future Of ‘Hair On Fire’ Bugs.]

The earliest version of Bash affected by the vulnerability, 1.14, dates back to 1994. The most recent version, 4.3, is also vulnerable. News of the vulnerability appears to have surfaced on Wednesday.

Which machines are vulnerable?
The vulnerabilities affect machines running Linux, BSD, and Unix distributions, including Mac OS X. Apple said in a statement to AFP on Friday that OS X is safe by default unless users have configured advanced Unix services. The company said it's working on a patch for those users.

Bash is not native to Windows, but Cygwin, a Windows version of Bash, is vulnerable. Beyond that, Shellshock has the potential to affect anyone visiting a website hosted on a vulnerable server -- if the server has been compromised via Shellshock, it could deliver other malware.

How many machines are vulnerable?
It's difficult to say. About 10% of personal computers run Linux or OS X. But then there are servers and Internet-connected devices to consider. Many security experts are comparing Shellshock to the Heartbleed vulnerability discovered in April. Heartbleed affected an estimated 500 million computers; the BBC suggests Shellshock could affect just as many, without providing details about how it arrived at that figure.

Is my machine vulnerable?
Shellshocker.net provides two tests, one for each vulnerability, (CVE-2014-6271) and (CVE-2014-7169). On a Mac, open the Terminal program and type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see "vulnerable" echoed in the response, your version of Bash is affected. Then type:

env X='() { (a)=>\' bash -c "echo date"; cat echo

If you see today's date (alongside any errors), your version of Bash is vulnerable.

Is there a fix?
Sort of. Major Linux vendors have released patches; Apple is working on one. US-CERT notes that patches for CVE-2014-6271 don't fix it completely (RedHat has said as much). US-CERT advises that people stay tuned for patches to resolve CVE-2014-7169 (RedHat's patch is available). Many security vendors have released detection tools and promise protection through their own software. RedHat has offered several mitigation methods for experienced IT administrators.

Why should I care?
Because these bugs allow an attacker to execute malicious code on affected machines, without any authorization check. And even if your machine is safe, you won't be happy when someone is able to steal your credit card numbers because these vulnerabilities affected someone else's server.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).