Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

'Bigger than Heartbleed' Shellshock flaw leaves OS X, Linux, more open to attack

Brad Chacos | Sept. 26, 2014
The good news: Patches are already rolling out. The bad news: This devastating vulnerability could be around for a long, long time.

As a result, Ellis and Rapid7 urge keeping a level head about the bug.

"We're not keen to jump on the 'Heartbleed 2.0' bandwagon. The conclusion we reached is that some factors are worse, but the overall picture is less dire... there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild. Heartbleed was much easier to conclusively test and the impact way more widespread."

While older Internet-connected devices (like, say, security cameras) seem to be likely victims of Shellshock, respected security researchers Michal Zalewski and Paul McMillan note that many embedded devices don't actually use the Bash shell at all.

How to tell if you're vulnerable
Beyond Linux-based systems, Graham and Ars Technica report that Mac OS X Mavericks contains a vulnerable version of Bash.

To test if your version of Bash is vulnerable to this issue, Red Hat says to run this command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system responds with the following, then you're running a vulnerable version of Bash and you should apply any available updates immediately:

vulnerable

this is a test

"The patch used to fix this issue ensures that no code is allowed after the end of a Bash function," Red Hat reports. So rather than spitting out "Vulnerable," a protected version of Bash will spit out the following when you run the aforementioned command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for 'x' this is a test

What does this mean?
When it gets down to brass tacks, most major websites and modern gadgets you own likely won't be affected by this Bash vulnerability, and Apple will no doubt patch the OS X implementation quickly. (Here's a highly technical DIY fix for now.)

It's impossible to know just how far this flaw reaches, and it's likely to linger on in neglected websites, older routers, and some legacy Internet of Things devices-many of which are impossible to patch-providing an opening for determined hackers to sneak into those systems.

So what should you do? Here's some actionable advice from security researcher Troy Hunt's tremendous in-depth primer on Shellshock:

"In short, the advice to consumers is this: watch for security updates, particularly on OS X. Also keep an eye on any advice you may get from your ISP or other providers of devices you have that run embedded software. Do be cautious of emails requesting information or instructing you to run software - events like this are often followed by phishing attacks that capitalize on consumers' fears."

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.