The shellshock vulnerability: are you at risk?


"Shellshock" is a recently reported bug that makes certain computers vulnerable to attacks that could compromise data or seize control of the machine. In most cases these computers are servers running the Linux operating system, but dangers also exist for personal computers.

Shellshock affects computers that run the "bash shell." In plain English, "bash" is a command-line environment that geeks like me use instead of the mouse.

"But I only use the mouse. How does this affect me?" The catch is that "scripts" written for the shell are also part of the plumbing of your computer's operating system, if you run MacOS, Linux, or various less common operating systems.

"I have Windows. Am I vulnerable?" No, not this time. Windows isn't part of the same "family" of operating systems that use bash. It's not part of the plumbing.

"But bash is a program on my computer. How would outsiders get to it?" Some computers run bash "scripts" when carrying out tasks like joining a wireless network or servering up a webpage to a visitor.

One of these vulnerabilities is in a service called "DHCP." In plain English, DHCP is the thing that tells your computer where it is on the Internet every time you connect to the Internet.

"Does that mean Macs are vulnerable every time they join a wifi network?" Apparently not. Tests have been performed showing that Apple's version of DHCP doesn't have this vulnerability.

"Are Macs vulnerable at all?" So far, only if you run a webserver on your Mac that allows CGI programs. Most Macs don't. However, if you have third-party Mac apps that allow people to pick up files from your computer, it is very possible they are based on this technology. You should stop using those apps until the company behind them confirms they are safe, or Apple releases a MacOS update that fixes bash. As of 9/26/14 they have not done so.

"Does my iPhone have this vulnerability?" No, or very unlikely at least. Not even third party apps would be able to trigger this issue, because Apple doesn't let you invoke bash from your iPhone app.

"Does my Chromebook have this vulnerability?" I have not tested it, but it is a possibility, via the DHCP vulnerability. More information is needed. Stay off untrusted networks until Google pushes an update.

"Does my Android phone have this vulnerability?" No, it doesn't run bash (it has a different, safer, compatible shell).

"Does my company's website have this vulnerability?" There's a good chance, if the server runs Linux. Red Hat Linux is vulnerable. Ubuntu and Debian are less vulnerable, because they don't push bash as the standard shell; they use a newer, safer, less friendly one called dash. But most people have bash installed anyway and could still be doing vulnerable things.

Your system administrator or web hosting company needs to know that as of 9/26/2014, a partial fix has been published, and they should update their Ubuntu or Red Hat Linux servers to take advantage. But there is still a portion of the vulnerability that has not yet been addressed. So they should shut off traditional CGI programs (typically found in a cgi-bin folder or .cgi files in your website, but configurations vary).

"Does this mean Windows is better?" No. Windows is closed-source. In English, that means only Microsoft can see the code, and we have to take their word for it that it's safe. So we usually don't know what vulnerabilities it has until bad guys have already started exploited them. But vulnerabilities in Windows are found and fixed regularly. Just not the same ones we see in more open operating systems.

Open-source operating systems like MacOS (partially), Linux (completely) and Android (mostly) allow anybody to study the code and point out vulnerabilities, which is how the world learned of this problem before it became widely exploited. You can argue this both ways, but it's generally a good idea to have more eyes on the code.