Shellshock (CVE-2014-6271 and CVE-2014-7169) is the name of a bug affecting the Gnu Bash (Bourne-again shell) command-line shell, which can be used on many Linux and UNIX operating systems, as well as Mac OS X. It does not affect Windows computers unless you’ve installed Bash with something like Cygwin. While it’s unlikely that most consumer computers will be targeted, it’s a good idea to watch for updates for operating systems, firewalls, routers, switches, modems, printers, and household items that can be assessed over the Internet–TVs, thermostats, IP cameras, and other items.
It is already being exploited by worms and other malware.
Cisco, Red Hat, Debian, and Ubuntu have already issued updates. The first patch issued did not completely fix the problem, so make sure you update to the version that addresses CVE-2014-7169 as well as CVE-2014-6271. Apple has not issued any updates as of September 28, 2014.
This bug has been around for a very long time; the latest (safe) Bash version is 3.2.53. Brian J. Fox wrote Bash in 1987 and supported it for five years, and then Chet Ramey took over support–his unpaid hobby. Mr. Ramey thinks Shellshock was accidentally added in 1992.
We have a Macbook that was running a vulnerable version of Bash. I manually updated Bash per this article.
According to Qualys, here’s how to test for the vulnerabilities; at the command line, paste the following line (make sure this line is exact):
env var='() { ignore this;}; echo vulnerable’ bash -c /bin/true
If you have a vulnerable version of bash, the screen will display “vulnerable.” Just to be safe after updating, check the bash version by typing:
bash –version
Vulnerable versions will be before 3.2.53.
If you applied a patch before Friday, you might have a less-serious version of the error, which you can check by typing the following:
env X='(){(a)=>\’ bash -c “echo date”; cat echo; rm -f echo
This line will display the date if bash has not been completely patched. After patching, you will get an error when running this command.
Intentional Privacy 