Mac systems, beloved the world over for their higher levels of security when compared to Windows machines, are now the potential victims of a bug called ‘Shellshock’. (Linux, Ubuntu, and others are also affected.)
Bash, shells, exploits, and vulnerabilities – what does it all mean, and is your computer in danger?
Danger Zone: Shellshock in the Wild?
First of all, it’s important to note that there have been no incidences of exploitation found in the wild. That means this is a vulnerability that’s been around a long time without anyone (hackers) noticing and exploiting – or taking advantage of it.
It’s something like realizing that the lock on your back door doesn’t work, and hasn’t for a while – and realizing that no one else has noticed it either.
Now, of course, everyone knows all about this vulnerability, so it’ll be a battle to see whether software companies jump in with patches and updates faster than unscrupulous individuals attack.
What Does ‘Bash’ Mean?
Bash is a shorter version of, ‘Bourne Again SHell.’ (No, it’s not Robert Ludlum’s Bourne, of ‘The Bourne Identity‘ fame – this ‘Bourne’ is named after the original writer of the Bourne shell code, computer scientist Stephen Bourne.) As you can read on the Linux Documentation Project, Bash is, “…the original shell still used on UNIX systems and in UNIX-related environments. This is the basic shell, a small program with few features. While this is not the standard shell, it is still available on every Linux system for compatibility with UNIX programs.”
The upshot of this is that the Bash shell may very well be in use on your non-Windows system in one form or another. But… what is a shell?
What is a Shell in Computer-Speak, and How is Bash Vulnerable?
A shell is something like a messenger, facilitating communication between you and your computer. It’s basically a way for you to get your commands or requests to your computer in a way it can understand.
When any part of your code is ‘vulnerable to exploit’ it basically means there’s a virtually unlocked door somewhere. In this case, Red Hat does an excellent job of explaining the vulnerabilities in their September 24, 2014 notice, “Bash specially-crafted environment variables code injection attack.”
In essence, many programs use Bash in the background – and it’s possible for outsiders to inject additional code into the shell, which then executes when the program invokes the shell.
Imagine a tennis shoe with a hole in the sole (The hole is Bash’s vulnerability). You put the shoe on (load the program) and take a step onto the road (start using the program). If someone’s thrown gravel on the road (injected code into your shell), a piece can get through the hole and hurt your foot (access or change information on your computer).
Shellshock Bug: What Can You Do?
This vulnerability is not new, but it’s newly-discovered, which means that patches are still forthcoming. Your best bet is to install all software patches available. If you’re on a non-Windows machine, update all programs to their latest version, particularly those that use FTP or Telnet, and immediately install all available software patches and updates. (Yes, I know, I already said that. It bears repeating.)
According to the U.S. Computer Emergency Readiness Team (CERT) there are currently patches available for the following systems: CentOS, Debian, Redhat, and Ubuntu.
In the meantime, keep watching for updates, and check with software developers directly if you need information on a particular piece of software.