Security researchers from around the net are sounding the alarm over a recently discovered computer bug named Shellshock (Bash). It’s a massive security hole that's arguably worse than the Heartbleed bug from earlier this year. Here’s what you need to know about this new threat, and what you need to know to stay protected from the fallout.
What is Shellshock (and Bash)?
Shellshock is a security hole located in a component of the Unix operating system called Bash that handles commands. Few computers these days run Unix itself – it’s an antiquated OS conceived many decades ago. But since Unix is the grandfather of the Linux and Mac OS X operating systems, they too contain the Shellshock Bash vulnerability. Nearly half of the webservers currently in operation run Linux, so that’s a very big problem.
The vulnerability would let hackers run virtually any command on the machine they want. A person could steal your personal and financial data from one of the many, many website servers that currently run a version of Linux. Or they could connect to your connected home network and turn on your Wi-fi home security camera (again, Linux-based) to spy on you. Or they could take over your MacBook. The possibilities are nearly endless, simply because the Shellshock bug can be exploited in so many ways.
How can you stay safe?
The biggest security implications of Shellshock deal with the webservers that house many of your favorite online sites and accounts. There's little you can do here other than wait for their administrators to patch the bug. The good news is that these holes are being patched quickly. Many already are.
Meanwhile, recognize that your home router, connected home devices and possibly your home computer could have the security hole, too. Keep an eye out for emails from your Internet service provider on the topic, in case you need to update the firmware on your router. Use common sense, however – some hackers may use this threat as an excuse to send phishing emails or to try and trick you into downloading malware to your computer.
If you own an Apple computer running OS X, it's vulnerable to the Shellshock Bash bug. (Windows-based PCs should be safe.) Make sure you install security updates to your operating system ASAP once Apple provides them. Of course, this should be standard operating procedure for most Techlicious readers, as it’s the first line of defense against compromises, known or otherwise.
Update (9/26): The computer security specialists at TrendMicro have released a set of free tools for those concerned about the Shellshock bug. They will let you know if a website you're visiting is vulnerable to Shellshock Bash. And for more advanced users and server administrators, patching and threat analysis tools are also available. You can access the free protection suite by visiting the TrendMicro website.
More good news: Apple says the "vast majority" of OS X devices should be safe from Shellshock unless you have manually configured advanced UNIX services. If you're not sure what that means, your computer is probably fine. Still, Apple is promising to quickly release a security patch to addresses the issue for all Mac users; everyone should install it when it becomes available.
[Vulnerable computer code via Shutterstock]
From nan on September 26, 2014 :: 10:55 am
I’m so happy you put this out. I am windows based, but received one of those phishing emails today. I deleted it because I had never heard of Shell shock before. Love that you keep me updated on these things.
Reply