What You Need to Know about this Security Software Bug
Shellshock, also known as Bashdoor, is a family of security software bugs in the Unix Bash shell. Many Internet-facing services use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
Attackers exploited Shellshock within hours of the initial disclosure by creating botnets on compromised computers to perform distributed denial-of-service attacks (DDoS) and vulnerability scanning. Millions of attacks and probes related to the bug were recorded by security companies in the days following the disclosure.
Shellshock could potentially be used to compromise millions of unpatched servers and other systems. Thus, it has been compared to the Heartbleed bug in its severity.
Apple Inc. commented that OS X systems are safe by default, unless users configure advanced UNIX services. Such advanced users are typically capable of turning the services off until a patch built using Xcode can be implemented.
Within an hour of the announcement of the Bash vulnerability, there were reports of machines being compromised by the bug and botnets based on computers compromised with exploits based on the bug were being used by attackers for distributed denial-of-service attacks and vulnerability scanning.
On September 26th, 2014 the security firm Incapsula, noted 17,400 attacks on more than 1,800 web domains, originating from 400 unique IP addresses, in the previous 24 hours. It’s said that 55% of the attacks were coming from China and the United States. By September 30th, the website performance firm CloudFlare said it was tracking approximately 1.5 million attacks and probes per day related to the bug. On October 6th, 2014, it was reported that Yahoo! servers had been compromised in an attack related to the Shellshock issue.
With the disclosure of the bash vulnerabilities, the information security community was thrown into a bit of a tizzy. Most organizations that have devices running on a *nix platform and that utilize the bash shell are vulnerable.