'Shellshock' Flaw Found in Mac OS X, Linux

An Australian soldier suffers from shellshock in World War I.

An Australian soldier suffers from shellshock in World War I.

A fundamental flaw in one of the most basic functions of OS X, Linux, UNIX and related operating systems was revealed and patched today (Sept. 24) by software developers. The Bash "shell," or command-line interface for UNIX-like systems, allows injection of random, possibly malicious, code following commands, and automatically executes that code without verifying it. Today's patch prevents that code execution.

Because Bash is so widely used — it's the default shell for OS X and most distributions of Linux, including many Linux server builds — one Internet security expert called today's bug "as big a deal as Heartbleed."

MORE: Best Mac Antivirus Software 2014

"The bug interacts with other software in unexpected ways," Robert Graham, CEO of Errata Security in Atlanta, wrote on his firm's blog. "We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we'll never be able to catalog all the software out there that is vulnerable to the bash bug."

In April 2014, a examination of the OpenSSL code library that is used to secure thousands of websites revealed a fundamental flaw that had existed for more than two years. Dubbed the "Heartbleed" bug, the flaw is still being cleaned up.

Today's Bash bug — which Graham called "Shellshock" — may be much older than Heartbleed, perhaps existing since Bash was first used in 1989. (Graham thinks the flaw may also affect Bash's ancestor, the Bourne shell, or sh, which dates to 1977.)

"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time," Graham wrote. "That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed."

The bug was discovered by French software developer Stéphane Chazelas and patched today by Chet Ramey, official maintainer of the Bash shell, whose day job is as a network manager at Case Western Reserve University in Cleveland. The patch fixes Bash 3.0 through 4.3, and links for network administrators to fix the patches can be found on the SecLists mailing-list archive.

Just as a user of Microsoft Windows can bypass the graphical-user interface and communicate more directly with the computer using a DOS-like text screen, users of UNIX-like systems can "drop into the command line" and run code more efficiently using only text-based commands.

For many UNIX derivatives and Linux flavors, using the command line is necessary to update software and perform anything more than basic functions. That's less true for user-friendly OS's such as Ubuntu Linux and Apple's OS X, but power users of those systems know that to get things done quickly, the command line is the way to go.

There are several competing command-line-interface systems for UNIX-like systems, and most can be used interchangeably, depending on the user's preference. Bash is the most widely used, and is also used by user-like processes within the operating system to interact with other processes. (Google's Android and Apple's iOS mobile OS's are also UNIX-like, but don't often use Bash, if ever.)

"It is common for a lot of programs to run bash shell in the background," read a posting by Red Hat security engineer Huzaifa Sidhpurwala on the Linux developer's official security blog today. "It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)."

Red Hat has already released its own patches that fix this flaw.

There don't appear to be any exploits related to this bug in the wild yet, but the flaw offers an opportunity for miscreants to attack OS X and desktop Linux, not to mention countless server builds. If Apple, Ubuntu, Mint, Debian or other Linux developers release operating-system updates this week, be sure to install them.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.