Shellshock Flaw Poses Big Security Threat for Mac, other Unix Systems

Move over, Heartbleed, because here comes Shellshock. This security threat has the potential to be even bigger than Heartbleed because of the way it lets attackers remotely access victims computers through the Bash command line shell for Unix and Linux, plus it potentially affects Mac OS X and the iPhone, iPad, and iPod touch.

Bash's Shellshock flaw poses big security threat for Macs and other Linux systemsBash's Shellshock flaw poses big security threat for Macs and other Linux systems

Shellshock is about a 25 year old security flaw in the Bash shell that lets code held in certain variables to be executed immediately and without the victim's knowledge. That code could give attackers deep level access to the system as well as any data they want to harvest.

The flaw is a serious threat for Mac users even if they don't typically use the Terminal app to access their computer's Unix underpinnings because many of the apps they use may be tapping into Bash on some level.

Robert Graham from Errata Security said,

We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we'll never be able to catalogue all the software out there that is vulnerable to the Bash bug.

The treat extends beyond OS X and iOS, too. Many Linux-based computers are susceptible, as are a wide range of other devices such as routers, network connected storage systems, and even devices that can be programmed via the Internet like home automation products — some of which can't be patched, so they'll always be vulnerable.

Shellshock is being compared to Heartbleed, which is an OpenSSL flaw that gained widespread coverage earlier this year. That issue posed a serious to online servers and other computers because of an issue that let attackers steal encryption keys without being detected. With those keys in hand, attackers could intercept and decrypt data passing through online servers.

Apple said OS X and iOS weren't vulnerable to Heartbleed, but other companies scrambled to patch the flaw in their products. Because some companies with vulnerable devices aren't around any more, or aren't supporting their older products, many devices on the Internet are still open to Heartbleed attacks.

"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time," Mr. Graham said. "That means there are lots of old devices on the network vulnerable to this bug."

He added that primary servers likely won't be vulnerable for long many other devices running embedded versions of Linux will be. That doesn't bode well for the computer and smartphone-toting community — including potentially iPhone and Android users — because the devices they use are potentially vulnerable to the Shellshock exploit.

Once an attacker has access to a system through the Bash shell, there isn't much they can't do.

"The potential is enormous – 'getting shell' on a box has always been a major win for an attacker because of the control it offers them over the target environment," said security expert Troy Hunt. "Access to internal data, reconfiguration of environments, publication of their own malicious code etc. It’s almost limitless and it's also readily automatable."

Up next: What Shellshock Means for You

Shellshock: What Does it Mean for You?

Apple hasn't commented on its plans for responding to Shellshock, but is likely already working on a patch. You can check to see if your Mac is vulnerable to the threat by launching Terminal and entering this command:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If you see "vulnerable" as part of the response to the command, your Mac is susceptible to the Shellshock threat. For Mac users who're comfortable compiling their own code, Stack Exchange details how to apply your own Bash patch.

Shellshock looks to be a very serious security threat for Unix and Linux-based systems, and it's been around for a long time. It looks like researchers have found ways to patch the threat, so now it's up to Apple and other companies to get those updates out. This isn't the same as Heartbleed, but it will be an ongoing issue, just like the earlier OpenSLL threat.

For Mac users, the bigger threat is the router they're using to connect to the Internet. If it's running a version of Linux with a vulnerable version of Bash, an attacker could use that to exploit the Shellshock flaw. Routers are directly connected to the Internet, which raises their level of exposure, unlike our Macs which are typically relatively hidden on our local networks behind those routers.

That doesn't, however, mean that Shellshock isn't a serious security threat for Mac users. If a device is potentially vulnerable, then it's a safe bet people are actively working on exploits.

Apple offers an automated update process for its computers and WiFi base stations, which is great for average users, but other vendors don't necessarily have update systems that are as easy to use. If you're using a non-Apple WiFi router, for example, there may be a built-in system you can access via a webpage to check for updates, or you may have to visit the manufacturer's website to see if a downloadable update is available.

Considering the average home network was likely set up by someone who doesn't stay on top of router updates and security threats, they won't be looking for Shellshock patches. Those unpatched devices, along with the products that simply can't be updated, are going to pose a long-term threat for many people. Shellshock also has the potential to expose far more data than Heartbleed because it gives attackers full access to victim's systems, and not just encrypted data passing through online servers.

Hopefully Apple will have an update out soon to address Shellshock, and hopefully it won't leave us with other problems, like yesterday's iOS 8.0.1 debacle.