Bivalve_Sea_ShellWhile I don’t generally cover OS vulnerabilities, this one is so far reaching as to be on most people’s radars and imperils a host of websites, embedded devices, PCs, Macs, Android, and potentially more. It’s a BASH shell vulnerability nicknamed Shellshock, and leaves many of our devices completely vulnerable if connectable.

To find whether you have BASH and even need to worry about it, open a terminal emulator and type “bash” if you don’t immediately see a BASH prompt. If it finds it, it might be time to execute some security precautions.

Some Android devices have it, some don’t, some ROMs package it with a distro. Mac’s underlying Darwin OS has it (I am told, don’t have a mac in front of me at the moment,) and plenty of web servers are exploitable with it.

For a hacker to get to you, it appears they have to have access to your device in some fashion. In the case of web servers, they have to have figured out a login with any access (not terribly difficult according to every movie ever). On a phone, they have to have gotten you to download an app, but due to the nature of the vulnerability once you have access the program can execute whatever code you want.

Whether that code executes with elevated rights and could seriously affect desktops/phones I don’t know. Maybe. On the web server side it appears that the exploit has the potential to do anything it wants – store credit card numbers, email addresses, login info, ship it off elsewhere, etc.

Fedora Magazine has a great rundown of what the vulnerability is and why it works – tl;dr: a variable can be made to look like code and executed by a well-meaning process.

On the website end, it’s not a huge deal to patch. Ubuntu servers can be patched with two commands “sudo apt-get update” and “sudo apt-get dist-upgrade” and other flavors of Linux have their own package distribution systems that are as easy. Once patched a system will return the following when anything exploiting the Shellshock vulnerability occurs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for ‘x’

So what should I do?

nelson-hahaOver the next few days, treat any website like it’s going to steal your information. Don’t trust apps from strange people offering candy. Stare menacingly at your computer to scare away hackers. Wait for the company that manufactures your product to issue a patch. Check your junk email folder for emails from companies you’ve purchased things from warning of vulnerabilities. Point at people who previously thought they were immune to these sort of things and say “ha ha”.

Basically treat the internet like you should always treat the internet – a bunch of seriously compromisable pieces of equipment, software, and operating systems chained together waiting for a new exploit to screw up everything and steal your cat while someone tries to sell you that it’s completely safe and you still have a cat.

How concerned should I be for device x

Probably hackers are more going to focus on the websites as attempting to trick your system into executing the wrong bash function seems vaguely pointless. But, it’s entirely possible there’s a reason a hacker wants your phone’s bash control and I just haven’t had enough coffee to figure it out yet.