ShellShock Bug

Apple’s OS X is vulnerable to the Shellshock bug, but it’s not that easy for attackers to take advantage of it, according to Intego, which specializes in security software for the operating system.
Shellshock is the nickname for a flaw in the Bourne Again Shell, or Bash, which is a command-line shell processor widely present in Unix and Linux systems. The flaw in Bash, which has been present for two decades, could allow an attacker to take complete control of a computer.

What Is Shellshock?

The bug stems from coding mistakes in bash, a low-level computer program that’s been part of many, but not all, Unix-related systems for decades. That makes the bug mostly a problem for servers that run Unix, Linux or other similar operating-system variants, although Mac users might also have something to worry about.

The name “Shellshock” is a bit of wordplay based on the fact that bash is a “shell,” a type of program used to execute other programs. Bash, like many other shells, uses a text-based, command-line interface. (If you’re on a Mac, you can see this by opening your Terminal program.) Programmers can use bash to access another computer or computer system remotely and feed it commands.

Bash is short for “Bourne Again SHell,” a pun on Stephen Bourne, the computer-scientist author of an earlier Unix shell known simply as sh. It is compatible with every version of Unix, which made it an obvious choice for the default shell for Linux and Mac operating systems.

Bash is several decades old, and security researchers believe the Shellshock bug has lain undetected in bash for at least 22 years.

So Who’s Vulnerable?

Technically, any computer or system with bash installed is vulnerable. Since bash is installed by default on Unix systems, that includes a lot of computers.

Windows computers are safe; they don’t use bash. But if you’re using a Mac or running Linux, Ubuntu, or some other Unix flavor where bash is the default interpreter, then you could be at risk.

Just because your computer is vulnerable to Shellshock, however, doesn’t mean hackers can target it. For them to do so, they’d have to be able to access your computer’s bash program via the Internet.

If your computer is connected to the Internet through a password-protected wireless network—or physically via an Ethernet cable—you’re still basically safe. If you’re using an open, untrusted Wi-Fi connect, though, you could theoretically be vulnerable to a Shellshock exploit.

Even that’s extremely unlikely, though. The most likely targets, according to cyber security firm FireEye, are Internet servers and related large computer systems.