Bash is installed on many computers running operating systems derived from the operating system called Unix. That includes Macs and iOS devices, as well as a lot of servers running operating systems such as Linux in today's world like the enterprise versions we run. MacBooks and iPhones do not run Bash in an unsafe way so it is not as much of an issue but most servers, devices and smart appliances everywhere are affected.
Bash (Bourne-Again SHell) is a command processor, typically run in a text window, allowing the user to type commands which cause actions and is a favorite among system adminsitrators. Because the Bash shell is entirely text-based, it's particularly useful for administering a computer remotely as it allows for faster control and scripting of commands.
A major security flaw was discovered in Bash which is the most popular shell and is considered a larger threat than the recent Heartbleed security issue. The Department of Homeland Security's United States Computer Emergency Readiness Team, or US-CERT, issued an alert as well. Tod Beardsley a manager at Rapid7 cybersecurity warned the bug was rated a "10" for severity, meaning it has maximum impact, and rated "low" for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks. "Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," Beardsley said. "Anybody with systems using Bash needs to deploy the patch immediately."
This bug has already been taken advantage by malicious software writers whom are actively exploiting the issue with a script called "Shellshock".
The vulnerability has been addressed by the Bash maintainer, Chet Remy in an email to the community that a path has been released which addresses the issue.
A simple test will show if you're vulnerable. Run the following command in your shell:
env X="() { :;} ; echo RISK" /bin/sh -c "echo test"
If you see the word "RISK" you are vulnerable and will want to update immediately.
We have updated all of our servers within 24 hours of the of the notification to keep your data secure from this vulnerability.
Thursday, September 25, 2014