Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux

A serious security issue with the Bash shell – a major component of both most UNIX-like operating systems – has been discovered, with significant implications for computer security worldwide.

The issue is present in all versions of the Bash scripting language up to version 4.3, which effects a majority of Linux machines, and the entirety of computers running OS X. and can see an attacker exploiting this issue to launch their own code.

Curious about how it works and how to protect yourself? Read on for more information.

What Is Bash?

Bash (standing for Bourne Again Shell) is the default command line interpreter used on most Linux and BSD distributions, in addition to OS X. It is used as a method of launching programs, using system utilities and interacting with the underlying operating system by launching commands.

In addition, Bash (and most Unix shells) allow the scripting of UNIX functions in small scripts. Similarly to most programming languages – such as Python, JavaScript and CoffeeScript – Bash supports features common with most programming languages, such as functions, variables and scope.


Ads by Google

Bash is near ubiquitous, with many people using the term ’Bash’ to refer to all command line interfaces, regardless of whether they’re actually using the Bash shell. And if you’ve ever installed WordPress or Ghost through the command line, or tunneled your web traffic through SSH, you’ve quite possibly used Bash.

It’s everywhere. Which makes this vulnerability all the more worrying.

Dissecting The Attack

The vulnerability – discovered by French security researcher Stéphane Chazleas – has caused a great deal of panic in Linux and Mac users worldwide, as well as attracted attention in the technology press. And for good reason too, as Shellshock could potentially see attackers gaining access to privileged systems and executing their own malicious code. It’s nasty.

But how does it work? At the lowest possible level, it exploits how environment variables work. These are used both by UNIX-like systems and Windows to store values that are required for the computer to function properly. These are available globally available across the system and can either store a single value – such as the location of a folder or a number – or a function.


Functions are a concept that is found in software development. But what do they do? Simply put, they bundle a set of instructions (represented by lines of code), which can later be executed by either another program or a user.

The issue with the Bash interpreter lies in how it handles storing functions as environment variables. In Bash, the code found in functions is stored between a pair of curly braces. However, if an attacker leaves some Bash code outside of the curly brace, it will then be executed by the system. This leaves the system wide-open for a family of attacks known as code-injection attacks.

Researchers have already found potential attack vectors by exploiting how software such as the Apache web server, and common UNIX utilities such as WGET interact with the shell and use environment variables.

How Do You Test For It?

Curious to see if your system is vulnerable? Finding out is easy. Just open up a terminal, and type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test”

If your system is vulnerable, it will then output:

vulnerable   this is a test

Whilst an unaffected system will output:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"   bash: warning: x: ignoring function definition attempt   bash: error importing function definition for `x'   this is a test

How Do You Fix It?

By the time of publication, the bug – which was discovered on the 24th of September, 2014 – should have been fixed and patched. You simply need to update your system. Whilst Ubuntu and Ubuntu variants use Dash as their main shell, Bash is still used for some system functionality. As a result, you’d be well advised to update it. To do that, type:

sudo apt-get update  sudo apt-get upgrade

On Fedora and other Red Hat variants, type:

sudo yum update

Apple is yet to release a security fix for this, although if they do, they will release it through the app store. Ensure you are regularly checking for security updates.


Chromebooks – which use Linux as their foundation, and can run most distros without much fuss – use Bash for certain system functions and Dash as their main shell. Google should should update in due season.

What To Do If Your Distro Hasn’t Fixed Bash Yet

If your distro is yet to release a fix for Bash, you might want to either consider changing distributions, or installing a different shell.

I’d recommend beginners check out Fish Shell. This comes with a number of features that aren’t currently available in Bash and make it even more pleasant to work with Linux. These include autosuggestions, vibrant VGA colors and the ability to configure it from a web interface.

Fellow MakeUseOf author Andrew Bolster also recommends you check out zSH, which comes with tight integration with the Git version control system, as well as autocomplete.

The Scariest Linux Vulnerability Yet?

Shellshock has already been weaponized. Within one day of the vulnerability being disclosed to the world, it had already been used in the wild to compromise systems. More troublingly, it’s not just home users and businesses that are vulnerable. Security experts are predicting that the bug will also leave military and government systems at risk. It’s almost as nightmarish as Heartbleed was.

So, please. Update your systems, okay? Let me know how you get on, and your thoughts about this piece. Comments box is below.

Photo Credit:zanaca (IMG_3772.JPG)

Leave a Reply

Your email address will not be published. Required fields are marked *