If you’ve been reading (or watching) the news lately, you may have heard of a new security vulnerability called Shellshock. You may have also heard that it’s very serious. But what is it really, and how does it affect you?

How serious is it?

The Shellshock vulnerability lets an attacker execute arbitrary code on an affected system, be it a router, laptop, or server. Essentially, they can make that system do anything they want.  It can be used to gain remote access, launch attacks at other systems, sabotage websites, spread malware, steal data, and a whole host of other things. So if you have a system that’s affected, it’s pretty serious.

Who does it affect?

Shellshock affects a piece of software called Bash. Bash runs primarily on Linux and Mac systems, which means it is present on some desktops, laptops, network equipment, IP cameras, and servers. If you’re running Windows, it does not affect your computer directly. Most Mac users are safe as well, since Bash isn’t installed on them by default. Linux users and servers are the most likely to be affected by this vulnerability.

How can I check if Shellshock affects me?

Testing is, thankfully, pretty simple. Here’s how to tell if your computers, websites, and network devices are vulnerable:

  • Windows desktop or server: Not vulnerable unless you’ve installed a Bash shell. If you don’t know whether you’ve done this or not, you haven’t.
  • Linux desktop or server:  Vulnerable if your distro uses Bash. Use the console test below.
  • Mac desktop or server: Vulnerable if you configured advanced Unix services. Use the console test below.
  • Network connected device (router, camera, TV): If device is exposed to the Internet, use http test below. If not, check with manufacturer.
  • Website: If you have a website, use the http test below.

Here are some simple tests for Shellshock vulnerability:

  • Console Test:
    • Open a terminal window (Mac: Applications -> Utilities -> Terminal)
    • Paste the following in the terminal window and press enter:
      env X=”() { :;} ; echo VULNERABLE” /bin/sh -c “echo stuff”
    • If the word VULNERABLE gets printed, you are vulnerable
  • HTTP Test:

What do I do if I’m affected?

If one of your devices or services is affected by Shellshock, here’s what to do about it:

  • Desktop or server: Install updates provided by OS vendor, then retest.
  • Mac updates: http://support.apple.com/downloads/
  • Network device: Check manufacturer’s website for updates.
  • Website: Contact webhost and request resolution timeframe.

More Information

For more information on Shellshock, check out the following resources: