In the last 24 hours, a major vulnerability has been uncovered in one of the fundamental pieces of software used on Linux based machines: a piece of software called Bash.
Now, I am by no means a Linux expert, so I’m merely reporting on what I’ve learned so far, but the crux of the issue is that this exploit, which has existed in Bash for 22 years and was just discovered yesterday, allows the remote injection of code onto any system with Bash installed, which by conservative estimates is 500 million machines. This includes Macs (whose OS is Linux based) and most web servers. By contrast, the very serious Heartbleed exploit from earlier affected a “mere” estimated 50 million machines. This is one of the most serious exploits ever uncovered and could allow anyone to take over your machine with great ease.
How to check if you’re vulnerable
If you have a VPS, or any machine running Linux over which you have administrative control, you need to take immediate action.
The first step is to check whether your machine has Bash installed. To do this, log into your shell (use Terminal on OSX) and use the command:
If it returns a path, you have Bash installed. If not, then this doesn’t affect you.
The next step is to check whether Bash is vulnerable. To do so, use the command:
If your system is vulnerable, it will print “vulnerable”.
How to patch it
I’m not yet immediately clear whether the current patch is completely effective. I’ve seen commentary on both sides. Since this issue is so new, it will require a lot of attention over the coming days to ensure that you are protected.
In the interim, I updated all of the packages on my box, and reran the command above to check whether I was vulnerable, and it no longer printed vulnerable. So for now, I believe that I have done as much as I can do, and will be keeping an eye out for more details over the course of the next day or two.
To completely update your system, run the following command, and then rerun the vulnerability check to confirm that the patch has been applied:
UPDATE: 9/25/14 23:07 EDT
It is now apparent that there are two distinct vulnerabilities in Bash. Earlier patches only addressed the first issue that was uncovered. Vendors are in the process of releasing further patches to close both loopholes.
The key is to ensure that you continue to run your update commands regularly over the coming days to ensure that you get these patches as quickly as possible.
@ryancduff pointed me in the direction of an excellent site that is a succinct, current and informative resource regarding this exploit. I recommend that you review (and continue to review) this site for the latest information about Shellshock. This site also has a command to test for the second exploit that was uncovered. At the time of writing this, Ubuntu has released a distribution which patches both of these exploits.