Bash Bug Threatens Mac, Linux Security, and More
It’s been a few months since we were too worried about general Internet security, so thankfully we have a new exploit to freak out about. Referred to as “the Bash bug” or the “Shellshock bug,” the exploit was written about earlier this week by the Redhat Security Blog – though you’d be forgiven for not completely understanding the post’s dense explanation.
Apparently the Bash Shell has been hanging around since the 1980s, and it’s found in Macs and computers running Linux.
“It is common for a lot of programs to run Bash shell in the background,” says the post. “It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc).”
So here’s the problem:
“Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.”
What’s that mean? That machines vulnerable to this bug can be “exploited remotely,” explains TechCrunch. Those machines could include Macs, Linux computers, even Internet of Things devices and smartphones – Android, after all, was built on Linux. Apparently Windows PCs are safe for now, according to another slide from TechCrunch, but who knows how long that will remain true?
In the meantime, the best way to limit your vulnerability is to make sure your machines are running the most up-to-date software. Moreover, while Macs are potentially vulnerable to the Bash bug, a post on CNET offers up a statement from Apple:
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
Of course, with every security exploit that seems to pop up, the best advice is simple and timeless:
[Sources: Redhat Security Blog, TechCrunch, CNET]