Security researchers have discovered a new software bug known as the “Bash Bug” or “Shellshock,” or to those more technically “in-the-know” as GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271). This bug, more correctly termed, ‘vulnerability’, potentially allows attackers to gain control over targeted computers.
The bug is present in a piece of computer software called, Bash, that is typically found on computers running an operating system called Linux or Unix, of which there are many variations. Generally this operating system is used to power server computers, such as the ones that many of the world’s websites run on. Also impacted are all Apple Mac computers that run Apple’s operating system, OSX. Computers running Microsoft Windows are not impacted by this vulnerability directly, but could be at risk if web servers are compromised.
Who Is Likely To Be Targeted By This Bug?
There are three likely targets:
- We believe the primary target for this vulnerability is public facing web servers that have not yet been patched.
- Any computer running Apple’s Mac OSX, server or your personal computer or laptop, is also vulnerable to attack if it has not been patched. [Note: If your Apple Mac computer is running a Norton protection product on it (see full list below) it is already automatically protected from attempts to exploit this vulnerability] Also you should note that this bug does not affect computers running Microsoft Windows. They don’t run Bash.
- Many routers and other Internet-connected devices that are running a variation of Linux or Unix.
So, What Is Bash?
Bash is a piece of software that is used to translate commands that a user types into actions that a computer can understand. In the early days of computing it was more common for users to directly enter commands; today, point and click user interfaces hide all of this. However, many websites use scripts that contain a collection of such commands to automate interaction with the underlying computer. On a Unix or Linux computer, if you have ever typed commands into a window that has a prompt that looks like this, then you are likely talking to Bash:
The Bash bug allows an attacker to bypass regular security controls to insert additional unauthorized commands; which could, in turn, allow the attacker to steal data or gain control over the web server computer or other device.
The Good News: It Hasn’t Been Widely Exploited…Yet
So far, there is no significant evidence that shows that this bug has been exploited in the wild. However, now that researchers have brought this vulnerability to light, cyber criminals may see this as their chance to take advantage of it. Now it’s up to software companies to quickly create and implement patches and updates, before hackers can reap their unscrupulous rewards.
Am I Affected By Shellshock?
We believe Web servers are the likely main targets for attack and it is likely that website owners are working quickly to patch their computers to guard against attack. Unfortunately, there is no easy way to tell which websites may have been attacked so as a general precautionary measure we recommend keeping an eye out for suspicious activity on the accounts you keep online, and periodically changing important passwords, like those to your email accounts, financial accounts and social networks.
Business owners that have professional websites should apply any available patches immediately. For more information on what to do as a business owner, please visit our Security Response Blog.
If you’re a Windows user, your personal device is not vulnerable to this bug. Still, if a web server that runs on Linux has been compromised, and it holds your personal information, you may still be affected. If your personal device or computer runs on Linux or Unix (Mac OS), you may be susceptible, particularly if you are running an un-patched version of Linux or Mac OS.
What Precautions Should I Take To Defend Against Shellshock?
While the vast majority of the responsibility of thwarting cyber criminals from exploiting this bug lies on software companies and website owners, however, it is extremely important to make sure that all of your software remains up-to-date, as it often can contain security patches that will help keep your data secure.
Here are a few things that consumers can do to stay protected:
For all users:
- We recommend keeping an eye on all of your accounts, on which you store personal information, for signs of unusual activity that may indicate that your account has been compromised.
- Consider changing important passwords, like those to your email account, social networking sites, and financial accounts. Can’t think of a unique password? Try our Password Generator. For important financial websites, enable 2-factor authentication. If you use Merril Lynch, Ebay, PayPal or Etrade, you can use the Symantec VIP app.
- Apply any available patches to routers, or any other web-enabled devices in your home, as soon as they become available. Remember though to only download patches and software from reputable sites and keep in mind that scammers will likely try to take advantage of Shellshock reports, so be sure to watch out for spam emails and suspicious links that tell you to download software.
Specifically for Mac users:
- Norton security products for Mac already include protection against attempts to leverage this vulnerability on a Mac. See a full list of supported products below. Don’t have security software? Check out our all-new, simplified multi-device/mulit-OS solution, Norton Security.
- Keep an eye out for updates from Apple and be sure apply available patches.
Norton security products for Mac OSX:
- Norton Security.
- Norton Internet Security for Mac 5.0
- Norton Antivirus for Mac 12
- Norton 360 Multi-Device
- Norton One
Remember Microsoft Windows computers are not susceptible to attack using this vulnerability.
For more detailed information, you can also visit our Symantec Security Response post on the Shellshock bash bug vulnerability.