Shellshock Bug: 6 Key Facts - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
08:06 AM
Connect Directly

Shellshock Bug: 6 Key Facts

The Shellshock bug could do more damage than the recent Heartbleed bug. Here's what you need to know.

Jack the Ripper Caught: 8 Mysteries Tech Should Solve
Jack the Ripper Caught: 8 Mysteries Tech Should Solve
(Click image for larger view and slideshow.)

Shellshock, the name given to a pair of vulnerabilities in Bash, a shell program distributed on Linux, Unix, and OS X systems, has been assigned a CVSS score of 10, on a 1-to-10 scale. It's as serious as security bugs get.

Worse, the difficulty of exploiting Shellshock is rated "low." Almost anyone with an interest in malicious code will be able to build malware that uses the vulnerabilities. As if to demonstrate that, security companies began detecting Shellshock malware within hours after the vulnerabilities were disclosed.

Here's what you need to know.

How long has Bash been vulnerable?
About 22 years. According to the New York Times, Chet Ramey, senior technology architect at Ohio's Case Western Reserve University, has been maintaining the Bash open source project since then and believes that Shellshock dates back to a new feature introduced in 1992.

[Are we becoming a nation of complacency? Read Shellshocked: A Future Of ‘Hair On Fire’ Bugs.]

The earliest version of Bash affected by the vulnerability, 1.14, dates back to 1994. The most recent version, 4.3, is also vulnerable. News of the vulnerability appears to have surfaced on Wednesday.

Which machines are vulnerable?
The vulnerabilities affect machines running Linux, BSD, and Unix distributions, including Mac OS X. Apple said in a statement to AFP on Friday that OS X is safe by default unless users have configured advanced Unix services. The company said it's working on a patch for those users.

Bash is not native to Windows, but Cygwin, a Windows version of Bash, is vulnerable. Beyond that, Shellshock has the potential to affect anyone visiting a website hosted on a vulnerable server -- if the server has been compromised via Shellshock, it could deliver other malware.

How many machines are vulnerable?
It's difficult to say. About 10% of personal computers run Linux or OS X. But then there are servers and Internet-connected devices to consider. Many security experts are comparing Shellshock to the Heartbleed vulnerability discovered in April. Heartbleed affected an estimated 500 million computers; the BBC suggests Shellshock could affect just as many, without providing details about how it arrived at that figure.

Is my machine vulnerable? provides two tests, one for each vulnerability, (CVE-2014-6271) and (CVE-2014-7169). On a Mac, open the Terminal program and type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see "vulnerable" echoed in the response, your version of Bash is affected. Then type:

env X='() { (a)=>\' bash -c "echo date"; cat echo

If you see today's date (alongside any errors), your version of Bash is vulnerable.

Is there a fix?
Sort of. Major Linux vendors have released patches; Apple is working on one. US-CERT notes that patches for CVE-2014-6271 don't fix it completely (RedHat has said as much). US-CERT advises that people stay tuned for patches to resolve CVE-2014-7169 (RedHat's patch is available). Many security vendors have released detection tools and promise protection through their own software. RedHat has offered several mitigation methods for experienced IT administrators.

Why should I care?
Because these bugs allow an attacker to execute malicious code on affected machines, without any authorization check. And even if your machine is safe, you won't be happy when someone is able to steal your credit card numbers because these vulnerabilities affected someone else's server.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/30/2014 | 10:20:46 PM
The yellow journalism of this is becoming aparart
As time goes by it is slowly but surely becoming apparent that too many yellow journalists/ bloggers and security companies dying for publicity have in effect been "Chicken Little" claiming the sky is falling.

All these Bash shell one liner tests are idiotic.  I can run 'rm -rf *' in my bash shell and destroy my computer - that doesn't prove its vulnerable.  The fact is that a hacker would have to find an injection point.  This BASH issue provides no such injection point - it can only be "used" once an injection point is found.

When you delve into expert forums and really learn about this issue - its pretty much a "patch and move on" feeling.  Far short of the Chicken Little scenarios posted by idiots reading other idiots inflamed posts
User Rank: Strategist
9/29/2014 | 1:02:07 PM
Re: A short-lived gloatfest
I agree. I would give it a few more weeks, even months, before saying that it has fully and truly been contained, with only 1 or 2 isolated cases that are then swiftly resolved. No OS is immune from bugs or attacks.
User Rank: Apprentice
9/29/2014 | 10:00:15 AM
Re: A short-lived gloatfest
I agree. To say "its contained," would mean you/they personally know that it is by having been to the system(s) in question.
I also agree that things are not reported in a timely manner.
User Rank: Ninja
9/28/2014 | 6:32:02 PM
Re: A short-lived gloatfest
Little early to say it's contained don't you think? Not sure how anyone could know that it's contained and nothing will come of this. Just because the "writeups" point to it being contained doesn't mean it is. I think we have all been around enough to know everything isn't reported on in a timely manor... especially breaches.
User Rank: Apprentice
9/27/2014 | 11:54:00 PM
Re: A short-lived gloatfest
A Future of 'Hair on Fire' bugs suggests that Shellshock , similar to Conficker will be around even after all current living humans are in our graves. It most certainly will never be contained according to that article.
User Rank: Ninja
9/27/2014 | 4:52:38 PM
A short-lived gloatfest
I can't help but get the distinct feeling that every Microsoft fanboi on the planet is gloating right about now at the thought that a 'nux OS has a vulnerability.  The difference is, of course, that shellshock, for all of the writeups/FUD I've read about it since it was discovered on the 24th, the fact remains that it is contained.    
User Rank: Ninja
9/27/2014 | 3:15:28 PM
"It's difficult to say. About 10% of personal computers run Linux or OS X. But then there are servers and Internet-connected devices to consider."

I suppose I agree that such estimations are a bit difficult, but you're certainly quite a bit off here. The actual 'market share' (quarterly sales, etc.) figures for Apple haven't been below 10% for the last decade or two. That's not even considering actual IN USE unit percentages for each OS (for example a typical Windows unit might become a cash register or have Unix loaded on it). A more realistic figure would probably be above 20% (and if we weren't counting boxen in corporations, managed by IT staff, we'd probably be talking 40% or more).

As far as vulnerability, the test you've outlined only shows if you have a 'vulnerable' version, not that you're *actually* vulnerable. For example, on OSX, unless you've turned on command-line remote access or are using some software which is externally available that implements Bash, you'd only be vulnerable to LOCAL attacks (ie: someone sitting at your machine).

So, while this is certainly a serious threat, it's also important to keep it in perspective.
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll