Updated @ 8:10am, September 29: Another remote code execution vulnerability has been found in Bash. It is unrelated to the first Shellshock vulnerability, but it is essentially the same deal: It’s very easy to exploit, and allows attackers to execute arbitrary code on a remote computer. The patched version of Bash which fixed the initial Shellshock vulnerability (CVE-2014-6271) does not protect you against this new vulnerability (CVE-2014-6277 and CVE-2014-6278). The original story, which is still accurate and informative, remains below.

Original story

There’s a new internet-crippling zero-day vulnerability in town called Shellshock. It potentially affects around half of all websites on the internet (around 500 million), and millions or billions more internet-connected devices such as routers, smartphones. Unlike Heartbleed, which was quite hard to exploit properly, Shellshock can be exploited with just a couple of lines of code, giving just about anyone the ability to run arbitrary code on an affected computer. In simple terms, this means that it’s now relatively simple for anyone to gain unauthorized access to a large portion of the world’s computers, and download/extract a wide variety of sensitive details. Shellshock also has the potential to be turned into a worm — a self-replicating piece of code that automatically propagates to all Shellshock-vulnerable systems, potentially causing untold damage.

But before we get ahead of ourselves with various doomsday scenarios (and Shellshock really could be one of the worst bugs to ever hit the internet), let’s discuss what Shellshock actually is first.

What is Shellshock?

In technical terms, Shellshock is a vulnerability in a Linux (or *nix) program called Bash, with the formal designation of CVE-2014-6271. In the words of the US government’s NIST agency:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” (Emphasis added)

In simpler, non-technical terms, Shellshock is a vulnerability in a very popular program — Bash — that is present on almost every Linux-based computer and device in the world. If you’ve ever used the “command line” on a Unix-like system (Linux, Mac OS X, Android) then you were probably typing commands into a Bash shell. This vulnerability, which can be exploited via a number of routes (at least Apache and DHCP), allows an attacker to run code directly on the vulnerable system. It is very, very easy to craft these attacks — it’s basically as simple as writing a few lines of Bash shell script.

Who or what is vulnerable to Shellshock?

Bash, or GNU Bash to give its proper name, was created 25 years ago as a free replacement for Unix’s Bourne shell. It is distributed with just about every flavor of Linux, and it’s the default shell for Mac OS X. Every version of Bash for the last 25 years, up to and including version 4.3, is vulnerable to the Shellshock vulnerability.

Read: The NSA knew about and exploited the Heartbleed bug for ‘at least two years’

Merely having Bash installed on a system doesn’t make you vulnerable, however; the attacker needs some way to access Bash via the internet. In this case, the easiest route is through Apache, which has permission — via mod_cgi — to set environment variables. These variables would usually be used for cookies, referral URLs, and other “header” information. The Shellshock vulnerability allows actual commands to be executed, instead of just setting a few harmless variables. OpenSSH (sshd) may also provide a route in via Bash, but various exploits are still being explored.

To test whether a system is vulnerable, you can try popping open a shell/terminal and running this command:

env X="() { :;} ; echo you might be vulnerable" /bin/bash -c "echo hello"

If “you might be vulnerable” pops up, your system has an exploitable version of Bash installed. This doesn’t mean that your system is vulnerable, though. Apple has already issued a statement saying that normal OS X users, despite having a vulnerable version of Bash, are not vulnerable. The situation is probably similar for Android: It has a vulnerable version of Bash, but actually exploiting it is probably quite hard. I don’t believe iOS is vulnerable.

If you run a Linux/*nix Apache web server, or if you use someone else’s server that also has Apache installed, you are vulnerable. Keep an eye out for an updated version of Bash, or other mitigations. For now, there isn’t really an easy mitigation — unless you know for sure that you don’t have any websites that use CGI, and can simply disable mod_cgi. Most major distros have issued a patched version of Bash — use apt-get, yum, etc. to obtain it.

As far as normal people are concerned, the most pressing issue is that your DSL/cable router may also be vulnerable (most consumer routers run an embedded version of Linux, and a CGI-capable web server) — and if a hacker can access your router, it can then probably gain access to other resources on your local network (shared folders and the like).

If you’re one of the 18 people in the world who uses Linux as a desktop OS, and you also run the Apache web server, you are probably vulnerable.

Rather amusingly, this is one of the few cases where Windows isn’t vulnerable (unless you have Bash installed via Cygwin, but very few people do). Of course, you might still be in trouble if you have Windows machines sharing a network with some vulnerable Linux boxes.

Next page: What can you do to protect yourself against Shellshock?