Critical Bash Security Alert!
Last night, researchers disclosed a critical security bug affecting all versions of GNU Bash through 4.3. Any Linux, Unix, or Mac OS X machine running versions 1.14.0 to 4.3 of the command interpreter is vulnerable to remote execution of malicious code. NIST initially assigned the vulnerability to CVE-2014-6271 and then to CVE- 2014-7169 to account for patching issues, and they have ranked the bug a 10.0 in terms of severity. Because the bug affects potentially hundreds of millions of machines, many are already comparing it to Heartbleed and have given it the name “Shellshock.”
Threat Mitigation
To check for the vulnerability, you can enter the following command into Bash:
env x="() :;; echo vulnerable" bash -c "echo this is a test"
Vulnerable versions will return:
vulnerable
this is a test
Non-vulnerable versions will return:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x"
this is a test
More technical specifics on how Shellshock works can be found at the Red Hat Security Blog. Users and administrators affected by Shellshock should apply patches immediately:
- Redhat patch
- CentOS patch
- Debian patch
- Ubuntu patch
Shellshock was discovered by Stephane Chazelas of Akamai. The company’s initial statement can be viewed here. As this vulnerability is an Internet-wide security issue, Emsisoft will continue to follow Shellshock as it develops and inform our users of any critical developments.
What should I do if I use Windows?
Those running Windows wondering what to do to stay protected should know that Shellshock does not directly affect their machine, but it could affect computers they interact with when they use the Internet. Unfortunately, there is nothing Emsisoft can do about this since Linux, Unix, and Mac OS X are not operating systems we support. The best we can do for now is sit tight, and hope that administrators who use these systems apply the appropriate patch as soon as possible.
Have a nice (malware-free) day!
Related Posts:
- Zero Day Alert: Unpatched Vulnerability in Internet Explorer
- IE Zero Day Update: Microsoft Issues Emergency Patch, Even…
- Patch Tuesday: It Doesn’t Apply to Windows XP
- The Heartbleed Bug: A Critical Vulnerability in OpenSSL
- Warning: Internet Explorer Zero Day CVE-2014-1776
Critical Bash Bug “Shellshock” might be as big as Heartbleed