Shellshock flaw hits Mac and Linux Systems

Shellshock flaw is found in the bash functionality that evaluates specially formatted environment variables passed to it from another environment, and was reported to Red Hat by Stéphane Chazelas, an Akamai security researcher. The flaw in the Unix Bash shell, leaves Linux systems, Mac OS X, routers, and other devices vulnerable to attack.

The trigger lies in old Shell Shock, and apparently has been lurking in the Bash shell for years.

It allows attackers to run deep-level shell commands after exploiting the flaw, even as certain services and applications allow remote unauthenticated attackers to provide environment variables. An attacker could override or bypass environment restrictions to execute shell commands.

The true danger lies in the fact that a larger chunk of the web-connected devices, servers, and other web-service infrastructures run on Linux distributions equipped with the Bash shell, though many embedded devices don't actually use it. However, its direct impact appears somewhat slim if you apply standard security precautions.

Red Hat has promptly released a patch for its Linux distributions, albeit the patch is incomplete, and vendors like Akamai have issued advice on how to mitigate the problem. Meanwhile, Apple is yet to issue a fix for Mac OS X.
Next Post »