What is Shellshock? The OS X and Linux Bash Bug that Could be Bigger than Heartbleed

A serious bug has been found affecting Linux and Mac OS X software, which security researchers claim could be bigger than Heartbleed.

The Heartbleed Bug, which was discovered earlier in 2014, became front page news around the globe, causing panic among internet users that all their information and personal data was at risk.

Less than six months later, security researchers have uncovered another major flaw in a widely used piece of software which some believe could pose a bigger threat than Heartbleed.

Dubbed Shellshock, or the Bash Bug, the security vulnerability is officially known as CVE-2014-6271 and affects the Bash command processor which is used in most Linux distributions, in Apple's Mac OS X, and the Apache web server software, among others.

Here we explain what it is, what threat it poses, and whether or not you are at risk.

What is Bash?

Bash stands for Bourne Again Shell, a command line shell allowing users to launch applications by typing text commands. For example, you can use it by launching the Terminal in Mac OS X.

Bash was released in 1989 and the vulnerability which has only just been discovered, has been theoretically exploitable for the last 25 years.

Who discovered Shellshock?

The vulnerability was discovered by Stephane Chazelas, a Unix/Linus researcher. The vulnerability was reported on Wednesday, 24 September, 2104, and has officially been given the name "CVE-2014-6271: remote code execution through bash" by SecList.

Security researcher Robert Graham dubbed it Shellshock - a catchy name that seems to have stuck.

How does the Bash Bug work?

The Bash Bug relates to how "environment variables" are processed - variables which allow users to alter the way software works.

In theory it means an attacker could force a vulnerable system to set specific environment variables, which in turn could allow them execute shell commands.

This is the big worry, as it would allow infected systems to be remotely controlled by hackers who could launch software on a victim's computer.

Which systems are affected?

Servers, home computers, and embedded devices are all vulnerable.

Users running Linux and Mac OS X on their PCs are at risk, but it is thought that the most likely target will be web servers running the Apache web server software.

And this is a big problem, especially when you consider that up to 60% of the web servers out there use this software.

Apache uses Bash to run background applications which process data from users, such as information inputted to online forms. If an attacker was able to exploit this vulnerability by making a web request which included exploit code, they would theoretically be able to launch widespread attacks on visitors to that website.

Ian Pratt, co-founder at Bromium told IBTimes UK: "It's going to impact large numbers of internet-facing linux/unix/OS X systems as bash has been around for many years and is frequently used as the 'glue' to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system."

How to check if your system is affected by Shellshock?

This is a relatively simple one to check. Simple call up a Terminal on your desktop, and type in this line of code at the $ prompt:

If your system is vulnerable, then you will see this:

If it is not vulnerable you will see this:

Is it being exploited by cyber-criminals?

So far there is no conclusive proof that the vulnerability is being exploited in the wild, but that is not to say that it isn't happening under the radar.

Robert Graham has done some initial checking and found 3,000 vulnerable systems simply by scanning devices connected to the internet.

Graham also says that the exploit is "clearly workable and can easily worm past firewalls and infect lots of systems."

Security researcher Yinette has also found proof of concept code which attempts to exploit the Bash Bug, meaning that it appears hackers are already working on trying to take advantage of the flaw.

AusCERT also claim to have received reports that the bug was being exploited in the wild, but again this has not been confirmed.

Can Shellshock by fixed?

Again, this is a case of yes and no.

Apple is working to patch the problem but the latest version of its software (Mac OS X 10.9.5) is vulnerable as it included Bash 3.2 - however, Apple says that anyone using the operating system's default setting are not at risk.

There have also been some patches issued for certain versions of Linux, but it now appears as if these patches are not 100% effective, meaning vulnerabilities still exist.

US-Cert has listed a number of the patches available for some of the more popular Linux distros including RedHat, Ubuntu and Debian.

System administrators overseeing the operation of servers hosting websites should be scrambling as fast as possible to patch their systems to prevent hackers from exploiting the Shellshock vulnerability.