NEWS‎ > ‎

Bash bug threat and updates

posted Sep 28, 2014, 9:53 AM by Barny CK
A bug has been discovered with a Unix shell called Bash. The Bash bug dubbed Shellshock, was discovered on September 24 by Stephane Chazelas of Akamai Technologies Inc. Bash is a command processor that runs commands from a text window or a script. The bug dates back to version 1.13 (roughly in the year 1992) and affects up to version 4.3. The Shellshock vulnerability can be exploited via

a) Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells.
b) Certain DHCP clients
c) OpenSSH servers that use the ForceCommand capability
d) Various network-exposed services that use Bash

Systems running Linux, BSD, Mac OS X and even Android phones are vulnerable to attacks, primarily via back door attacks. Currently, there have been updates available for Linux system. You may access this link for the updates. Apple has come forward to announce the imminent threat to its Mac OS X but that most users are safe due to its default advanced setting for Apache HTTP Servers being turned off. However, Apple promises to release a software update in due time. Currently the latest version of Mac OS X is 10.9.5.

Microsoft Windows is generally safe due to their using of a variant file called win-bash but Windows server users should take caution and consult professional help if needed. 

Apple has on Monday released a security patch to remedy the Bash vulnerability. The patch is called 
OS X bash Update 1.0 and can be downloaded here. The patch is effective for Macs running 
OS X Lion v10.7.5
OS X Lion Server v10.7.5 
OS X Mountain Lion v10.8.5 and 
OS X Mavericks v10.9.5 
but there is no mention of OS X Yosemite beta.