The Bash Bug Explained

Everything you wanted to know about the “Bash” Bug

The Bash Bug (also known as Shellshock) is being heralded as one of the biggest vulnerabilities ever…possibly bigger than the Heartbleed bug earlier this year.

To Begin With…What is the Bash bug?

To start we will refer to the CVE from NIST Vulnerability Database to gain a good sense of the severity of the vulnerability:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

The bug has been given a rating of “10 out of 10” for severity or…in other words, as bad as it can get. This problem is further compounded by the fact that it’s easy to execute the attack (access complexity is low) and perhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts.

The bug (also known as Shellshock) is in a commonly used piece of system software called Bash. Bash has been in existence since 1989. Bash stands for Bourne-Again SHell. It’s a computer program that allows users to type commands and executes them. In short, Bash is a command shell — “the thing you use to tell your computer what you want it to do,” says Christopher Budd, who is the global threat communications manager at Trend Micro. It is used on a variety of Unix-based systems, including Linux and Mac OS X. Devices using Unix include: servers, routers, Android phones, Mac computers, and medical devices.



What it Does and Who is Affected

Bash Bug lets outsiders take control of the affected device to install programs or run commands. The bug exploits a security hole in Bash, which translates into telling your computer, or other systems, what to do. However, a perfect set of conditions need to be present for the latest bug to be open to exploitation, which could limit its effect.

It has been estimated by industry professionals that about a half of a million websites were vulnerable to Bash. For the most part, consumer devices such as MacBooks and iPhones phones don’t seem to be running services that use Bash in an unsafe way. That means they are probably not vulnerable to hacks from across the internet. But we won’t know that for sure until security experts have had time for a careful audit.

Most Microsoft software doesn’t use Bash, so users running Windows PCs, people with Windows phones, as well as websites built using Microsoft software, are probably safe from these attacks. Also, it looks like most Android phones are not vulnerable because they use a Bash alternative.

What To Do

HD Moore, chief research officer with security software maker Rapid7, said it could take weeks or even months to determine what impact the bug will have.

“At this point we don’t know what we don’t know, but we do expect to see additional exploit vectors surface as vendors and researchers start the assessment process for their products and services,”  said Moore, “We are likely to see compromises as a result of this issue for years to come.”

Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Patches were released on Wednesday by Linux vendors, the upstream maintainer of Bash, and others for OS X, blocked these early attacks, but it’s understood they do not completely protect Bash from code injection via environment variables.

Also keep an eye on any advice you may get from your Internet Service Provider, or other providers of devices you have that run embedded software.

NOTE: Do be very cautious of emails requesting information, or instructing you to run unknown software. Events like the BASH Bug are often followed by phishing attacks that capitalize on consumers’ fears.


Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.

Mac Users

Go to this link to do a test:

More Information

Symantec has created an Intrusion Prevention signature for protection against this vulnerability:

27907 – OS Attack: GNU Bash CVE-2014-6271

National Cyber Awareness System


Leave A Reply