Friday, 26 September 2014

Shellshock: Everything You Need to Know About the Bash Bug

Shellshock: Everything You Need to Know About the Bash Bug


You may remember the commotion surrounding the Heartbleed incident several months ago? Well, Shellshock is much bigger. Shellshock, AKA the Bash Bug, is a very different kind of bug compared to Heartbleed. While Heartbleed attacked took advantage of Open SSL data validation Shellshock takes advantage by manipulating the user agent string provided to Bash.


What is the Shellshock Bash Bug?


Put simply, a potential hacker may use a program like Terminal on OS X. Using Terminal, the hacker can send a commands to Bash. Bash is then executing the commands, as it believes that these are valid.


You can check out Terminal yourself is you use a Mac. Simply go to the Finder > open the Applications folder (from the "Go" menu) > then the Utilities folder > and then open "Terminal." It should look like this:


example of terminal for Shellshock bash bug


You should see that in the menu bar is says “Bash”. Bash is a Unix shell written by Brian Fox for the GNU Project. It stands for Bourne-Again Shell and has become an industry standard over the last two decades.


Who is at risk?


The bug appears in Bash version 1.13 and later and vulnerability is widespread. Users of Mac OS X, Unix and servers running Linux are all vulnerable. That is a lot of people. While devices running Windows are not directly at risk, routers are. These routers can been used to compromise your Windows device.


Josh Reading, Technical Director at Mobius Media, said, “Imagine if your computer was your house, and all of the houses just unlocked. Now webmasters and server professionals are rushing to relock the houses by patching their vulnerable systems.”


“A patch has been released and we have secured all of our systems, but it is up to individual webmasters to do the same.”


Final Thought


Like Heartbleed, Shellshock is an example of an open source platform which has become widely used across the industry. While there this is generally a good thing, projects like Open SSL and Bash are relatively poorly funded. As a direct result of Heartbleed, companies (such as Facebook) have invested in these open source projects in order to make them more secure.


Helpful sites: Mobius Media - Web Development


This entry passed through the Full-Text RSS service - if this is your content and you're reading it on someone else's site, please read the FAQ at http://ift.tt/jcXqJW.





No comments:

Post a Comment