What is the Bash Shellshock bug? Everything you need to know

A bug found in Bash is threatening to wreak havoc on millions of computers, web servers and connected devices

There's a big new bug out there and security experts are warning that it might be more serious than Heartbleed. The latest bug, which affects Bash, hits right at the core of the internet. It affects Unix, Linux, Mac OSX, internet of things devices and Apache web servers. That's a whole lot of computers and servers and fifty per cent of all websites.

The bug has been described as both extremely serious and very easy to exploit, with hackers potentially able to access any information stored on affected web servers. We explain what the Bash Shellshock bug is, what it means for you and just how serious it could be.

What is Bash and what is the Shellshock bug?

Bash is a command interpreter or shell (hence Shellshock) used on Unix, Linux and Mac OSX along with a variety of internet of things devices and hardware such as home routers. Bash is also used on Apache servers, which host around 50 per cent of all websites.

Put simply Bash is a text window that lets users type commands to make things happen. Bash can also read commands given to it from a file. It is called upon by all sorts of programs and processes to carry out various functions. Computers have been using Bash since the late 1980s and it has gone on to become almost ubiquitous. All versions of Bash through to 4.3 are affected by this vulnerability.

Bash is the default shell for Linux and Mac OSX, two of the most widely-used operating systems in the world. The Bash bug could also affect internet of things devices as many run Linux distros with Bash. The bug could also affect Google's Android operating system, which is best described as a Linux distribution – although not in the traditional sense.

In simple terms, how does the Bash bug work?

The vulnerability in Bash lets a user create so-called variables before calling on the Bash shell. These variables can contain code that is triggered the second Bash kicks in. In even simpler terms code shouldn't be allowed to run at the end of a Bash function but the bug makes this possible.

All a hacker needs to do is copy and paste in some code and the command will execute. As Bash lies at the heart of so many computers and systems it gives hackers control of just about anything. There's no evidence yet that the bug has been used to compromise systems, but it is still early days.

What does the Bash bug let hackers do?

Pretty much anything. An attacker can remotely execute code on affected systems, access internal data, change code or install malicious code on systems and web servers. Half of all websites are vulnerable. That's obviously a big problem.

The most likely attack would be a self-replicating one where malicious code spreads from system to system. Public-facing machines (the one you're looking at right now) probably won't be the target. The real money is made by going after big companies and that's why Bash is so dangerous. The Bash bug could get hackers behind corporate firewalls and system administrators will be working frantically to patch the vulnerability.

Is my computer vulnerable?

If you run Windows you don't need to worry. If you run Linux or Mac OSX you're at risk. There is an easy way to check if your computer might be at risk. Open a terminal window and enter the following command at the $ prompt:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The output on a vulnerable system will be:

vulnerable
this is a test

A patched or unaffected system will output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

What do I need to do to make OSX and Linux safe?

Apple is yet to release a security update but when it does (and it will) it is essential that you install it. If you run CentOS, Debian, Redhat or Ubuntu then patches are already available. The United States Computer Emergency Readiness Team (US-CERT) has published an advice page on the Bash bug with links to download operating system updates.

Why is the Bash/Shellshock bug such a big deal?

Bash is at the core of millions of devices from computers to web servers and home routers to security cameras. Experts have said that this bug has the potential to be worse than Heartbleed and that could end up being true. While Heartbleed allowed hackers to spy on computers, Shellshock lets attackers take control of computers, execute code and do just about anything they want. If Bash isn't patched quickly it could have disastrous consequences.

Does it affect Windows?

No. But also yes. Windows doesn't rely on Bash in the same way that Linux and Max OSX do, but that doesn't mean a Windows system is Bash free. You won't find Bash on your Windows computer at home but it could be on server systems with Microsoft components. In short this isn't a bug that affects Windows but Bash can run on Windows systems. If you're not a system administrator at a major company you don't need to worry about its potential impact on Windows.

I don't run a server, why should I care?

Even if you don't use a Mac or Linux computer at home the Bash bug is still a big deal. Your most personal information is stored on servers all over the world and you use the internet all the time. The Bash bug could allow hackers to upload worms or other malicious software to vulnerable web servers, which could then be downloaded to your Windows computer. You also access the internet using a router. As with many connected devices, home routers are likely vulnerable to to the Bash bug.

It will be up to system administrators to patch vulnerable systems and keep an eye out for attackers trying to exploit the vulnerability. It will take some time to understand exactly how serious the Bash bug is but its potential to wreak havoc cannot be understated. Like Heartbleed the Bash bug won't go away overnight.