Bash Bug Affects OS X, Linux: "Worse Than Heartbleed"
The Bash Bug – also going by the nickname "Shellshock" – has been discovered this week and identified as a serious threat to computers of all kinds around the world. The vulnerability exists inside Bash, an element inside operating systems like Mac OS X, Linux, and Unix.
While Heartbleed was able to harvest data, this Bash Bug allows skilled hackers to take remote control of systems in which the vulnerability is discovered. The United States CERT – Computer Emergency Readiness Team – has issued fixes for the following systems:
• CentOS
• Debian
• Redhat
• Ubuntu
Not running one of those? You're not alone. Have a peek at the full Red Hat Security Resolution thread for CVE-2014-6271 for Linux. The team at Akamai have suggested that the first fix to CVE-2014-6271 that'd been issued earlier today "did not completely address the critical vulnerability" in what they call the "Bourne Again Shell (bash)".
Is there any widespread evidence of this bug taking control of computers around the world? No, there isn't.
Unfortunately that doesn't mean the opposite is true. There's no evidence that this bug HASN'T been the source of compromise for systems around the world for unknown amounts of time. This exploit has been discovered to affect all versions of Bash through 4.3, since the beginning. That's 25 years of one vulnerability.
We simply do not know how big this bug is or has been.
The NIST vulnerability database rates this as a 10 out of 10 threat to security. The security group Rapid7 also rates this Bash Bug as a 10 out of 10. Over at Seclists they've got just about the most intense description of this bug and how it works – if you're into that sort of thing.
For those of you that know what the following sentence means, by all means run it – for the rest of you – continue below. You can check your vulnerability by running these lines in Bash – if you see "busted", you're at risk.
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
While there is at least one way to patch your Mac, it's certainly not meant for the lay user. If you didn't understand the jargon immediately above this paragraph, you won't understand what's included in the fix on StackExchange. Instead you'll want to wait for the fix straight from Apple.
Until then – don't worry. Unless your computer holds the keys to the galaxy and you're sitting in a room full of hackers right this minute, you're probably not going to be targeted for anything in the immediate future.