It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


Bash bug in Mac OS X and Linux could be 'bigger than Heartbleed'

page: 1

log in


posted on Sep, 25 2014 @ 07:19 AM
Heads up ATS. Any of you who manage your own servers, use Apache, or run Mac OSX or Linux distributions this applies to you.

HACKERS HAVE DISCOVERED an exploit for Unix-based systems that some experts claim could be more serious than the Heartbleed SSL bug uncovered in April.

The bash bug, as implied by its name, is a vulnerability that allows unscrupulous users to take control of Bourne Again Shell (bash), the software used to control the Unix command prompt on some Unix-like systems. This means that systems running Mac OS X and Linux are all potentially susceptible.

"Conservatively, the impact is anywhere from 20 to 50 [percent] of global servers supporting web pages. Specifically, this issue affects web servers using GNU bash to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet."

That's about 500 million potentially vulnerable systems. Security patches are being rolled out today. Be sure to check for upgrades pertaining to your operating system and install them ASAP. It doesn't seem to be reaching into systems that run Linux in the background, like routers. When more info becomes available i'll update the thread.

There's always a run on fresh vulnerabilities to exploit. The blackhats are going to eat this up for a while, so stay secure! Apply that patch as soon as your distro has one for you.


posted on Sep, 25 2014 @ 08:29 AM
a reply to: AnonyMason

The SHELLSHOCK bug. Heres some more details:

"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time," Graham wrote. "That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed."

The bug was discovered by French software developer St├ęphane Chazelas and patched today by Chet Ramey, official maintainer of the Bash shell, whose day job is as a network manager at Case Western Reserve University in Cleveland. The patch fixes Bash 3.0 through 4.3, and links for network administrators to fix the patches can be found on the SecLists mailing-list archive.


Looking around for a patch/OS list. If i can find one I'll put it here.

posted on Sep, 27 2014 @ 08:18 AM
How to check if you are vulnerable to shell shock.

To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:

env X="() [ :;] ; echo shellshock" /bin/sh -c "echo completed"
env X="() [ :;] ; echo shellshock" `which bash` -c "echo completed"

If you see the word shellshock in the output, your bash shell is vulnerable. The bug is primarily effecting Linux and Unix system bash shells versions 1.14 through 4.3 of GNU.

Patches are available for Redhat, Ubuntu, CentOS, and Debian. Mac is reporting that most users will not be vulnerable but are expected to have an update any way, soon, posibly today. For the linux distros apply updates with you package manager usig: sudo ap-get update, then sudo apt-get upgrade OR su -c 'yum update'.

Stay safe! NIST vuln database has ranked this a 10/10 severity rating so be sure to apply the patch!
edit on 27-9-2014 by AnonyMason because: sp

new topics

log in