A Linux/Unix-based vulnerability, Shellshock, has an impact that reaches far beyond one operating system.
As with Heartbleed, Windows users can’t ignore this threat. But the most difficult aspect of this outbreak is determining which devices are actually vulnerable.
A vulnerability in the Bash Linux/Unix shell
Your PC might be pure Windows, but chances are high that you have devices in your home running on Unix or Linux. I know I do — my Western Digital My Cloud networked backup drive, routers, Kindles, iPhones, and iPads all run some form of Unix/Linux. (Worse still, Unix and Linuxare core operating systems on many enterprise-computing and storage systems.)
Those non-Windows devices were relatively safe from malware — until now. As has been widely reported, the GNU Project’s Bourne Again Shell (Bash; more info) was found to be vulnerable. Bash is a text-based, command-line utility or Unix shell used by numerous versions of the Linux/Unix operating systems.
If installed as the default command-line shell, Bash can make a system vulnerable to malicious remote attacks. The method of attack includes various network tools that execute scripts — from Telnet and Secure Shell (SSH; more info) sessions to Web requests.
Unfortunately, there’s no single list of Shellshock-vulnerable devices. At this point, we each need to take a survey of our Linux/Unix devices and check whether there’s an update to protect us from attack. If there’s no patch for a particular device, mitigating the threat could mean changing how we use the device or — as in the case of a security device such as a router/firewall — replacing it altogether.
Be aware that there are already reports of attacks against online honey pots that look for new exploits.