System administrators all over the world have woken up to yet another major security scare - after the Heartbleed bug back in April, this time, one that affects UNIX-based operating systems including Linux, Mac OSX and potentially Android – which has roots in UNIX.
The BASH bug (or Shellshock) as it is now known was discovered yesterday by security researchers working for open source company, Red Hat and because platforms affected are ubiquitous, one should expect more damage than Heart Bleed.
Indeed, what makes it so worryingly dangerous is that it affects everything that runs GNU's Bourne Again Shell (otherwise known as BASH) and are connected to the internet.
This includes any Internet-of-things devices like video cameras that operate using web-based BASH scripts. These are not only difficult to patch but also difficult to track and audit, which makes in-the-wild exploits very likely.
ESET's Mark James gives a simple routine to find out whether your systems are affected. Type
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
The output on a vulnerable system will read
vulnerable
this is a test
A patched or unaffected system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for 'x'
this is a test
He added that the bug has been around for a very long time and the community doesn't really know how many systems are actually affected by it.
