Bookmark This! September 26, 2014 posted by Nigel

The Plain Man’s Guide to What The Massive Shellshock Bug Means For You

The big tech news of the moment, and probably of the year or decade, is the revelation about a massive security hole in something called Bash, which is an arcane bit of geek code which is installed on many of the computers which power and host the Internet (and also Apple Mac computers). Here’s our plain man’s guide to what it means for you.

1. Over 51% of all web servers (i.e. websites) are running on the Linux operating system. Bash was historically a commonly used software component of Linux. Therefore the vulnerability instantly makes all these machines potentially susceptible to attack. That is a Very Big Deal. Because Apple Macs also use Linux as the basic system, this means Macs are also vulnerable. But see below.

2. The exploit only affects web servers directly, i.e. computers which are connected to the Internet, and operate webcode or websites. So your laptop computer will likely not be vulnerable unless you have some web server programs installed. In addition this web server code needs to include CGI and Bash for it to be exploitable. Very geek.

3. It is not clear how many web server computers are vulnerable, because it is not clear how much CGI and Bash is still being used. Most websites now use newer technologies, but there are still a not insignificant number of web computers using ‘back-end’ functions where Bash/CGI may be employed. However in general terms, Linux hardware like Android phones and home Internet routers should be safe, because they do not use those components.

[image]

4. In order for the most serious part of the exploit to be run, the attacker needs to have access to the system in the first place (i.e. login, permissions etc), which immediately means the server then has much more of a security problem than just Shellshock. However, there is a form of attack where a remote attacker could add a nasty command to a web browser, which could suck private data from a web server like passwords, or other private information. This second form of attack is the one which worries security people the most.

5. Almost all of the major distributions of Linux have already had patches installed. Shellshock is therefore primarily of concern mainly for older, or small business computer installations, which may be running unpatched (i.e. unfixed) versions for a long period. Apple has yet to issue a patch for the problem. Similarly older or smaller web hosting services with sloppy security and upgrade procedures will be vulnerable.

6. How to test if your computer is vulnerable (warning – geek stuff): Run –

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If your computer is OK, you will see :

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

If your computer is NOT OK, you will see:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test

7. How to fix your computer if it is vulnerable (see above warning):
1) open a terminal
2) type “sudo yum -y update bash”
3) wait until it says it’s finished, then log out of your computer and log back in.

8. Just to repeat: Shellshock is not a problem in and of itself if your device is securely protected by having authentication on all open ports, and full blown security systems in place around the CGI/Bash implementation. So while there are 78 million web servers which may potentially be vulnerable right now, it will still require the other components of the attack to be in place. Even so, one estimate suggests that between 3000 and 3 million computers (!) POSSIBLY could be vulnerable.

9. Again, if you do not run a web connected computer with CGI and Bash components installed, you will not be vulnerable at all. Windows itself is not vulnerable, it is only Linux systems (and to a lesser degree ordinary consumer Apple Macs). Despite rumours, there are no reports as yet of small Linux hardware devices (e.g. GPS, phones, security etc) being vulnerable, because most of them do not use Bash.