Overview
The Shellshock Bug is a security flaw in the Unix Bash Shell which can be used by attackers to grant unauthorized access to computer systems, including Apple’s Macintosh computers and smartphones running the Android operating system. After it was discovered in early September 2014, reports of hackers using the bug to create bot nets for DDoS attacks began widely circulating online.
Background
In 1987, programmer Brian Fox wrote the Bash Shell as a free piece of software which was subsequently used on a variety of computer operating systems, including GNU, Linux and Mac OS X. In 1992, Fox handed over Bash to programmer Chet Ramey, who maintained the software as a hobby. According to an interview with the New York Times,[1] Ramey speculates he may have introduced the Shellshock bug in a software update after taking control of Bash that year. On September 12th, 2014, Ramey was contacted by programmer Stephane Chazelas about a Bash security flawed he dubbed “Bashdoor.” On September 24th, Seclist[2] mailing list member Florian Weimer started a thread about the discovery, noting an official upstream patch would be released soon. That day, Twitter user Andreas Lindh[4] posted a tweet referring to the bug as “Shellshock” (shown below).
Notable Developments
Compromised Machine Reports
By September 25th, reports began circulating that hackers were attempting to exploit the vulnerability with malware titled “Bashlite.” That day, the software security company Kapersky Labs claimed three machines had been compromised and were carrying out DDoS attacks against various unidentified targets.[3] On September 26th, the network security company Incapsula reported that upwards of 17,000 attacks were being carried out against more than 1,800 web domains in the United States and China over the past 24 hours.[5]
Apple Statement
On September 26th, Apple released a statement informing Mac OS X users that the “vast majority” were not at risk to the being compromised by the bug:
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities… With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”[6]
Search Interest
External References
[1]New York Times – Security Experts Expect Shellshock Software Bug in Bash to Be Significant
[2]Seclist – CVE-2014-6271 remote code execution through bash
[3]Wired – Hackers Are Already Using the Shellshock Bug to Launch Botnet Attacks
[4]Twitter – @addelindh
[5]New York Times – Companies Rush to Fix Shellshock Software Bug
[6]Macworld – Apple says most Mac users are safe from Shellshock Bash bug