What You Need to Know About the Shellshock Bash Bug

By September 26, 2014 Security News 13 Comments
A newly-discovered security vulnerability dubbed the “ShellShock bug” could be more widespread and damaging than Heartbleed.

What is the Shellshock Bash Bug?

Bash, a unix shell typically used on Mac, Linux, and Unix systems, has had flaws that allow someone to trick Bash into doing things it’s not supposed to do, like running programs or modifying data.

The bug could affect any network or website that relies on Unix and Linux operating systems, including Mac OS X. Though you may be running Windows, most web servers on the Internet run on some variant of Unix, so your business or the services you use on a daily basis are likely to run these platforms. In short, the Shellshock bug puts untold millions of computer networks and consumer records at risk of compromise.

By exploiting the Shellshock bug, an attacker can essentially have full access to that server. Since the attacker could take any action that the web server itself could take, the consequences could be disastrous: the compromise of a database, access to files, access to source code, data being deleted, data being changed, running programs, and, perhaps worst of all, deploying malware to compromise the system. This is far worse than Heartbleed, which could reveal data from server memory but didn’t allow direct action on a machine.

Is LastPass Affected?

No, LastPass is not vulnerable to the Bash bug. LastPass does not use Bash on web-exposed interfaces, and we’ve applied the latest patches as well.

We have seen evidence of attempts to exploit the bug on LastPass systems, unsuccessfully. Other companies and researchers have reported observing the same, indicating it’s likely other web services and networks are at risk.

Is There a Fix?

Yes, there’s a patch for most Linux systems, though Apple has yet to release a fix for Mac OS X. The initial patch making the rounds Wednesday was not an effective fix, so the patch should be reapplied. Those managing computer systems should update their networks and machines with the proper patches as they’re released.

What Should You Do?

At the moment, LastPass customers and others should avoid using open, unsecured WiFi if using Mac OS X, until Apple releases a patch. Linux desktop users should update their systems as soon as possible. Windows desktop users are unaffected.

If other services you use indicated they were patched, you can update your passwords and proactively monitor for signs of breach, such as things installing to your machine without action on your part, or suspicious activity on your online accounts.

And if you’re not yet using a password manager, now’s a good time to start. By using a different password for every online account, you make it much more difficult for someone to compromise your most critical online accounts and your personal identity.

Update: Tuesday, September 30th

Apple has now released patches for the “Shellshock” Bash bug that affected Mac OS X, the update should be available from your computer’s Software Updates, or you can download them directly from Apple here:

OS X Mavericks: http://support.apple.com/kb/DL1769
OS X Mountain Lion: http://support.apple.com/kb/DL1768
OS X Lion: http://support.apple.com/kb/DL1767

13 Comments

  • NM says:

    I am not sure I get this part: “LastPass does not use Bash on web-exposed interfaces, and we’ve applied the latest patches as well.”

    So you don’t use it but you have applied a patch anyway …?

  • G. Smith says:

    Windows users not affected. But I wouldn’t be so sure if running cygwin

  • Anonymous says:

    For what it is worth, OSX is not vulnerable out of the box because it does not expose services which set env or execute bash with external input, nor does its DHCP client implementation do so. (It is, to be frank, completely pants-on-head retarded that certain other DHCP client implementations do this. I’m looking at you, Linux distros.)

  • Could you explain why your web servers were not vulnerable while others were? You use some kind of shell environment, right? Is it just the way it was configured? (I’m a Microsoft guy, so my knowledge here is limited)

  • Anonymous says:

    Thanks for the timely update

  • Anonymous says:

    You don’t even mention the worst part. All kinds of network accessible equipment could be running embedded linux with the exploit possible now. There may not even really be a way to update all of it.

    • And the bug has been there 22 years; companies have come and gone. Even if devices can be identified, there may be nobody left who knows how to patch them. Source code may be long lost.