Shellshock! Are You Vulnerable?

Category: Security

A serious flaw was recently discovered in software that's found on untold millions of web servers. But desktops, laptops, smartphones and other devices may be vulnerable to the “Bash Bug” as well. Read on to cut through the hype and find out whether you need to take action...

Bigger and Badder than Heartbleed...

Forget about Heartbleed, you’re about to get Shellshock from the Bash Bug. Another flaw in an open-source program commonly used in just about everything was announced on September 24 by its discoverer, Unix specialist Stéphane Chazelas. The new flaw is being called both “Shellshock” and “Bash Bug.” (I wrote about the Heartbleed flaw in my article A Gaping Hole in Internet Security.)

The bug exists in the “Bash” command shell, most commonly found on computers that run some version of the Unix operating system. Some early stories predicted the end of the world as we know it, but I've waited a few days for the dust to settle, so I could gather the facts and deliver them here.

There's no doubt this flaw is a doozy. The National Institute of Standards and Technology (NIST) rates its danger level at a 10 out of 10; the Heartbleed bug got only a five. That’s because Heartbleed only enabled eavesdropping on data flowing through a compromised machine, while Shellshock enables an attacker to take control of a device and do whatever he wishes with it.
Shellshock - Bash Bug

Also, the Heartbleed bug affected only web servers, while Shellshock is estimated to exist in 70% of all devices connected to the Internet. Finally, the Shellshock flaw can be exploited via “worms,” self-replicating malware packages that spread like wildfire from one networked device to all others it touches via the Internet.

Who Needs to Worry?

Shellshock is primarily a Unix bug. But in addition to web servers, lots of other computers run some variant of Unix, including Mac OS X, iPhones, iPads, Android-powered phones and tablets, internet routers, streaming video boxes, and scores of other gadgets. The Bash software can even be installed on Windows computers.

If you run a web server that's Unix or Linux based, you must take action. Visit this page to find out how to test your server for the Shellshock vulnerability, and find instructions for installing a patched version of the Bash software.

Just about any device with the word “smart” in its name runs some form of Unix and could contain the Shellshock bug; smart watches, smart coffeemakers and refrigerators, smart home automation modules, even smart utility meters. So yes, the Shellshock bug probably exists in devices all around you, and in devices to which your devices connect.

HOWEVER... if you're a typical home computer user, there's nothing to worry about.

Windows computers don't come with the Bash software. You'd have to install it purposely, and you'd probably do that only if you were a Unix software developer. So computers running Windows should not be affected.

If you have an Apple desktop or laptop computer running Mac OS X, there's a small chance you might be affected, because OS X is built on Unix. But only those who use the "advanced Unix services" that are built into OS X need be concerned. So again, if you're not a Unix geek, no worries for Mac users.

But wait, didn't I also say that both iOS (which runs iPhones and iPads) and the Android operating system (which powers many popular smartphones and tablets) are based upon Unix? True enough, but the vulnerable Bash software is not present on those mobile operating systems. Unless you have jailbroken or rooted your device, or installed Bash yourself, you are safe from the Shellshock bug.

But What About Other Gadgets?

Patches that close the Shellshock/Bash Bug vulnerability will likely be issued haphazardly by device makers over the next month or so. As far as I know, gaming consoles, Tivos, and Roku boxes are not affected. But I'd still advise enabling the “automatic updates” feature wherever it exists on your Internet-connected devices and anything “smart” that may be in your home.

The best information I've found says that "nearly all" internet routers are safe as well. Routers typically require manual checks for firmware updates, so make a note to do that regularly. Check with your ISP or visit the router manufacturer’s website to see if a firmware update is needed.

As for smart utility meters and appliances that run embedded unix, my understanding is that most of these devices run a Bash alternative called busybox, which is not vulnerable. Some older devices, such as security cameras, may be vulnerable to the Shellshock bug. But it may be nearly impossible to patch them. They are often designed without any means to update their operating systems, short of replacing the embedded hardware on which the OS resides.

If there's a silver lining to this story, it's that Shellshock is more difficult to exploit than Heartbleed. It’s not enough for the Bash software to exist on a device; it must be actively in use when an attacker strikes in order to be exploited. If a device has the Bash shell but doesn’t use it, it’s immune to Shellshock attacks.

The Bash/Shellshock bug has existed since 1992, but only since it was announced on September 24 have security researchers detected any attempts by hackers to exploit it. That doesn’t mean Shellshock hasn’t been exploited, but it appears that this bug’s existence was overlooked by snoops, hackers and men with black sunglasses for 22 years, too.

Bottom line, if you are a webmaster for a site that runs on some version of Unix or Linux, or a person who uses the command line on a Unix-based computer, you need to test your system and apply a patch. Otherwise, “keep calm and carry on.” Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 30 Sep 2014

For Fun: Buy Bob a Snickers.

Prev Article:
Belkin WeMo Home Automation

The Top Twenty
Next Article:
Geekly Update - 01 October 2014

Most recent comments on "Shellshock! Are You Vulnerable?"

Posted by:

30 Sep 2014

Bob's article doesn't say, but linux is a distant relative of Unix, so I wonder ,, Is Linux affected by the 'bash bug'?

EDITOR'S NOTE: I think it's more accurate to say that Linux is one implementation of Unix, not a cousin, and especially not distant. So yes, Linux systems are affected,

Posted by:

30 Sep 2014

Bob, for Windows users, what do you think is the risk of information being intercepted when we connect to online retailers? I imagine that Amazon and eBay and banks are full of servers running Unix or Linux.

EDITOR'S NOTE: You can bet that any company with an IT department jumped on this with both feet last Thursday, and didn't stop until the fix was applied.

Posted by:

Jim Michaels
30 Sep 2014

I've got anywhere from 6 - 15 linux distros in a Vbox(Oracle) on my Win7 host machine. Some, but not all have sent out patches. Is this host machine vulnerable?

EDITOR'S NOTE: No, you'd have to be running an instance of a Linux distro that's actively using Bash. Simply having the Linux images on your host machine does not pose any risk.

Posted by:

30 Sep 2014

I have a jailbroken iPad Air that I only jailbroke to stop the incessant ads that disrupted my browsing experience. I'd hate to have to remove my jailbreak but now I'm concerned that that device is my only exposure to this bug.

EDITOR'S NOTE: Here's some info on that:

Posted by:

30 Sep 2014

Once again great information from Dr. Bob. I just made a $5 contribution. I would suggest you make your Snickers pitch larger and easier to find. Maybe a small box somewhere? Don't be modest!x

Posted by:

30 Sep 2014

Should Linux users expect a bash update? Should we be using a different shell for now?

EDITOR'S NOTE: Generally, you need to do the updates yourself, unless you (or your hosting company) has done something to automate them. Once you apply the update, you can continue using Bash safely. What Linux are you running?

Posted by:

30 Sep 2014

will this bash bug (shellshock) affect iWeb websites? i am OSX 10.6.8... and don't really want to upgrade because i LOVE Snow Leopard..

EDITOR'S NOTE: I've not seen any indication that it does, but I don't know enough about how iWeb sites operate to be sure.

Posted by:

01 Oct 2014

I have a Mac but it looks like it is not/will not be affected. Thanks again for all the good info you provide in a concise and often humorous manner. I have been getting your posts for years.
I want to thank Lynn too for the donation and for mentioning it. I just sent you some $$ too. You provide a great service.

Posted by:

01 Oct 2014

Use the following command on Linux commandline to test if your computer is vulnerable:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'

your system wil return the following if it is vulnerable:
vulnerable hello

Update your systems accordingly and run the command again, it should return "hello" if it is not vulnerable.

Posted by:

01 Oct 2014

I have a Motorola Moto G Android phone from Boost Mobile that was "reprogrammed" to operate on Pageplus Cellular. Is my phone vulnerable and if so, what can a hacker do with it, read my gmail?

EDITOR'S NOTE: No worries, your phone was not rooted.

Posted by:

01 Oct 2014

I'm using Mint. I apply updates regularly, but haven't seen one for bash.

Posted by:

02 Oct 2014

@ Nigel

Given the extremely mixed bag of responses of companies and their IT departments' to other and even long standing threats, I wouldn't bet any such thing. Or at least not with my own money.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Shellshock! Are You Vulnerable? (Posted: 30 Sep 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved