What You Need to Know About the Shellshock Bash Bug

By September 26, 2014 Security News 13 Comments
A newly-discovered security vulnerability dubbed the “ShellShock bug” could be more widespread and damaging than Heartbleed.

What is the Shellshock Bash Bug?

Bash, a unix shell typically used on Mac, Linux, and Unix systems, has had flaws that allow someone to trick Bash into doing things it’s not supposed to do, like running programs or modifying data.

The bug could affect any network or website that relies on Unix and Linux operating systems, including Mac OS X. Though you may be running Windows, most web servers on the Internet run on some variant of Unix, so your business or the services you use on a daily basis are likely to run these platforms. In short, the Shellshock bug puts untold millions of computer networks and consumer records at risk of compromise.

By exploiting the Shellshock bug, an attacker can essentially have full access to that server. Since the attacker could take any action that the web server itself could take, the consequences could be disastrous: the compromise of a database, access to files, access to source code, data being deleted, data being changed, running programs, and, perhaps worst of all, deploying malware to compromise the system. This is far worse than Heartbleed, which could reveal data from server memory but didn’t allow direct action on a machine.

Is LastPass Affected?

No, LastPass is not vulnerable to the Bash bug. LastPass does not use Bash on web-exposed interfaces, and we’ve applied the latest patches as well.

We have seen evidence of attempts to exploit the bug on LastPass systems, unsuccessfully. Other companies and researchers have reported observing the same, indicating it’s likely other web services and networks are at risk.

Is There a Fix?

Yes, there’s a patch for most Linux systems, though Apple has yet to release a fix for Mac OS X. The initial patch making the rounds Wednesday was not an effective fix, so the patch should be reapplied. Those managing computer systems should update their networks and machines with the proper patches as they’re released.

What Should You Do?

At the moment, LastPass customers and others should avoid using open, unsecured WiFi if using Mac OS X, until Apple releases a patch. Linux desktop users should update their systems as soon as possible. Windows desktop users are unaffected.

If other services you use indicated they were patched, you can update your passwords and proactively monitor for signs of breach, such as things installing to your machine without action on your part, or suspicious activity on your online accounts.

And if you’re not yet using a password manager, now’s a good time to start. By using a different password for every online account, you make it much more difficult for someone to compromise your most critical online accounts and your personal identity.

Update: Tuesday, September 30th

Apple has now released patches for the “Shellshock” Bash bug that affected Mac OS X, the update should be available from your computer’s Software Updates, or you can download them directly from Apple here:

OS X Mavericks: http://support.apple.com/kb/DL1769
OS X Mountain Lion: http://support.apple.com/kb/DL1768
OS X Lion: http://support.apple.com/kb/DL1767


  • Thrawn says:

    Yes, they’ve patched even though they’re not vulnerable. I can think of several reasons to do so:

    – There may be ramifications of Shellshock not yet understood, and it’s best to be safe.
    – This *is* wrong behavior on Bash’s part, and should in principle be fixed.
    – Most LastPass customers don’t have the technical knowledge to understand exactly how a server may be vulnerable or not, and would rather know that LastPass has patched the bug.
    – Keeping up to date with patches means that you’ll have a more mature and streamlined process when something big *does* affect you.