A newly discovered software vulnerability could affect as many as 500 million computers and servers that run Linux or Apple’s Mac OSX operating system around the world.
The CVE-2014-6271 flaw, dubbed “Shellshock” or “Bash bug”, was discovered earlier this week and affects any system that uses Bash, a command line shell allowing users to launch applications by typing text commands. If exploited a hacker can remotely execute code and take over control of the system.
There is currently no direct evidence of the bug being exploited by hackers, but attacks may have occurred under the radar for years, with the bug theoretically existing since 1989. While hackers may attack MacBook users, a more likely target would be server running the Apache web server software, which accounts for around 60% of the servers around the world.
Security firm Rapid7 offered some information on the discovery of Shellshock:
“This vulnerability was discovered by Stephane Chazelas of Akamai and is potentially a big deal. It’s rated the maximum CVSS score of 10 for impact and ease of exploitability. The affected software, Bash (the Bourne Again SHell), is present on most Linux, BSD, and Unix-like systems, including Mac OS X.”
Technology company also Akamai confirmed the existence of the bug and the threat it poses:
“Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.
“There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services.”
Apple appears to have fixed the vulnerability in the latest version of their OSX operating system (Mac OS X 10.9.4), but the flaw remains in older versions.
Everyone using affected software has been warned to upgrade and patch their systems immediately.