Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Safe from Shellshock: How to protect your home computer from the Bash shell bug

Brad Chacos | Sept. 29, 2014
The 'Shellshock' Bash shell bug is a big deal, but it's relatively easy to keep your home PC safe.

On the surface, the critical "Shellshock" bug revealed this week sounds devastating. By exploiting a bug in the Bash shell command line tool found in Unix-based systems, attackers can run code on your system--essentially giving them access to your system. Bad guys are already developing exploits that use Shellshock to crack your passwords and install DDoS bots on computers. And since Bash shell is borderline ubiquitous, a vast swath of devices are vulnerable to Shellshock: Macs, Linux systems, routers, web servers, "Internet of Things" gizmos, you name it.

Yeah, it sounds bad.

But really, the impact on you at home should be minimal, especially if you take some basic precautions. Windows systems aren't vulnerable whatsoever--though your router may very well be--unless you're running a program like Cygwin.

How to determine if your computer  is vulnerable to Shellshock
Before we dive in, let's quickly talk about determining whether or not your system is running a vulnerable version of Bash shell. (If you're running a modern version of OS X or Linux, it probably is.)

Simply open the Terminal on your computer and type in the following:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If your system is vulnerable to the Bash bug, you'll see the following:


this is a test

If your system has already been patched to protect against the bug, on the other hand, you'll see something similar to this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

How to keep your computer safe from the Shellshock bug
Oh no! Your system is still vulnerable to Shellshock! What should you do now?

Nothing drastic, if you're an average computer user. If your computer is tucked safely behind a firewall--as it should be--the impact on you should be minimal, since attackers won't have any way to execute malicious code through the Bash shell on your system unless they trick you into running the command locally somehow. Shellshock is more dangerous for web servers and devices that "listen" for Internet commands than home PCs.

Apple drove that point home in its response to the Shellshock bug, which was provided to iMore:

"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities... With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users."

If you are one of those advanced Unix users on a Mac, this StackExchange thread can show you how recompile Bash with Xcode to plug the bug immediately.


1  2  Next Page 

Sign up for Computerworld eNewsletters.