[NewsPoster]

A new bug may have a greater potential for harm than April's Heartbleed vulnerability, according to reports. The "Shellshock" vulnerability in Bash, a Unix shell typically used in Linux systems as well as in OS X, apparently allows for code held in environment variables to be executed within the shell as soon as it is invoked, potentially allowing for the control of affected systems to be taken over by another user.

The Red Hat team which discovered the bug has already come up with a a patch, with the United States Computer Emergency Readiness Team (US-CERT) reporting that various Linux distributions have also been updated to fight the vulnerability, though this may not be enough.

Errata Security claims Shellshock has been open to abuse for a considerable amount of time, and that the number of affected devices is likely to be far higher than Heartbleed, and depending on the device, may not be patchable in some cases. "An enormous percentage of software interacts with the shell in some fashion," writes Robert Graham, continuing "Thus, we'll never be able to catalogue all the software out there that is vulnerable to the bash bug."

Apple has yet to issue a patch or guidance regarding Shellshock, though The Verge notes a user on Stack Exchange has explained how OS X users can test to see if they are vulnerable, and for advanced users, how to patch Bash.

[daqman]

Maybe someone can help me out understanding this. It's a bug in bash that allows code held in environment variables to be executed. The problem I'm having is that, at least with the example shown, to take advantage of the bug you have to have access to bash. If someone has such access then they can already execute any code that they want so you are already in trouble. I'm missing why a vulnerability that is only accessible via another vulnerability is such a big deal.

[just a poster]

it's a big deal for shared computers and shared unix environments. for instance, if somebody has local access to your computer as "guest". also, any software you install can hide a trojan to take advantage of this vulnerability and install malicious software.

apple needs to provide a fix for this quickly. its reputation is on the line.

[DiabloConQueso]

That's not the only way they could execute code.

Take CGI scripts, for example -- they're typically shell scripts in and of themselves, or rely heavily on them. Now, imagine a web page that takes some user input (name, email, what have you), that data is, in turn, run through a CGI script that relies on executing bash commands to manipulate that data (sorting, formatting, etc.) and the web service is sloppy about sanitizing the user input (so, the user cound put some kind of bash commands/code in place or in addition to their name in the name field).

In a simplified scenario such as that, the user has indirect access to the bash shell -- perhaps the code they execute is simply a short bash script that locates the password file and FTPs it over to a server under the user's control -- which they they run a brute-force or perhaps rainbow table attack against, and potentially getting administrative or root password(s) to the system.

While the example is simplified, and in reality probably infeasible exactly as stated above, the concept is real and is a very big threat.

Because (and despite the fact that there's an opinion that they're kind of antiquated) CGI is used so extensively across the web, and has been for so long, on machines that might be secure but outdated or lacking on updates, this vulnerability probably exists in a great, great many places. The way it's exploited and the fact that it went for so long undiscovered just compounds the issue.

So, it's not that bash shell access is *required* to take advantage of this exploit, it's that bash shell access is one of the the *goals* of this exploit, and it's an easily executed attack on machines sporting lazy CGI routines, of which there are many.

The good news is that it's easy to test whether or not a machine is vulnerable, and patches for most all major, popular UNIX (save for Mac OS X thus far) and Linux distros are releasing patches for quickly. The problem is that the machines must be updated to become secure again, and, believe it or not, for some companies with many, many servers and computers, there might be machines that go unnoticed or forgotten about.

[Mike Wuerthele]

Also think routers, and Internet facing devices, many of which are old, and may not ever get updated. Think Internet of Things, with hardware servers which are not only difficult to patch, but hard to get users to update the firmware on, even if they know it exists.

[lockhartt]

chsh -s /bin/tcsh on really old OS X Server
and chsh -s /bin/zsh on newer but still old OS X Server

mv bash dead_bash = no more bash

Hulk smash