“Security Concepts Explained” (formally”Security for Grandma” (SFG)) is a semiregular series attempting to explain the technical details of popular security concepts in way that anyone can understand. My target audience is the regular folks out there so if you’re an experienced security professionals you may what to check out some of my other posts.
The Shell Shock Security Bug
The security community is abuzz with a major security hole found in many popular computer systems across the world. In the media you’ll see it referred to as “shell shock” or “bash bug”, and if you believe the hype the world might be coming to an end. To be fair this is a serious problem for anyone that uses a device connected to the Internet, and if you’re still reading my little obscure blog post then that means you are more than a little concerned (or bored). As usual many articles referring to shell shock assume a lot from their readers, and do not always explain some of the terms used. If you don’t understand what a “shell” is or you’ve never heard of “bash” then you’ll probably just skip over most articles – so lets clear up a few terms.
What is a shell?
When used in reference to a computer shell then what we’re talking about is the user interface. Unless someone has printed this post out and given it to you, you’re probably using some sort of shell to read it. However, not all shells are created equal. Some shells are Graphical User Interfaces (GUI) like most people are used to where you can use the mouse to click items thus commanding the computer to do something. On the other end of the spectrum are Command-line Interfaces (CLI) where you have to type out commands to get the computer to do something. I’m sure most of you have seen a command-line before, but for the sake of completion a very simple (and unrealistic) example is if you wanted type out a letter you might have to type the command, “open my letter” to open a word processor rather than simply clicking an image of a letter on a GUI. In short, a shell is just a way to tell the computer what to do and that’s it really.
What is bash?
You will also see “shell shock” referred to as the “bash bug”, and that’s because “bash” is the name of the shell where the vulnerability was found. Don’t get too hung up on the name though. It looks similar to the Windows command-line interface shown above, but usually found on computers running Linux and Unix operating systems. If you’ve only ever used a Windows computer with the familiar “Start button” in the bottom left corner then this may be a mystery to you, but in reality most of the Internet runs on computers that are not like the one you’re used to seeing. However, if you are a Apple Mac user running OS X then bash is on your computer.
I only have a Windows computer. Why should I care about all this?
Good question. The reason the average user should care is that the shell shock bug can be used to do evil things to websites that you visit. So even though you may only have a Windows computer at home, if you browse the Web then this bug could affect you. For example, if the bad guys can use shell shock to take control of your favorite news website then they can potentially break into your computer the next time you check the headlines. Don’t go throwing your computer away just yet though. Now that the problem is known IT professionals are quickly trying to plug the hole.
How does shell shock work?
Unfortunately, this bug is relatively easy to exploit, and there are already reports of bad guys using it to break into computers across the world. What shell shock allows attackers to do is take control of a computer by sending commands to it’s shell. They are able to do this because certain websites send commands to the shell to be able to function correctly. In a perfect world these commands would be filtered and checked first, but that doesn’t always happen. So what happens when a bad guy adds another “evil” command to a normal command? Using our above example instead of typing, “open my letter”, the bad guys can type, “open my letter” and “delete all files”. In this case the intended action was to just open a letter, but instead of stopping there and ignoring the rest of the line, as intended, the command “delete all files” was also run.
Time to panic?
As an average user there is no need to panic. For Mac and Linux users, make sure you update your computer to apply the latest fixes (if available). For Windows users, there is nothing to do for a change. You can rest assured that major companies are working hard to fix any of their systems that are affected; however, many other companies may not be as good about security so in the future I expect to see many stories of security breaches happening due to shell shock. As always been careful with the websites that you visit. If you’re really concerned then you can stick to major sites only for a while, but there’s no guarantee that any of us will be protected from the effects of this bug.