Years Old Vulnerability Discovered in Linux and Mac OS X?

A new vulnerability reported by a Stéphane Chazelas, a French Unix/Linux specialist, has been discovered in BASH shell code used in popular Unix based systems, such as Linux, Mac OS X, and some Android platforms. Surprisingly, the flaw may have existed for decades, and could be the largest exploit to hit the Internet. Even surpassing the recent OpenSSL Heartbleed flaw. Some are already referring to the BASH vulnerability as Shellshock.

Why this exploit is so alarming is that it appears fairly easy to implement in affected systems, yet can result in the injection of malware that can possibly take control of the operating system, access confidential information, or make other system wide changes without requiring authentication.

Among the biggest concerns are for Linux based Apache web servers which dominate the Internet. Other systems which may also be vulnerable include routers, security cams, and smart appliances running Linux and connected to the Internet in which patches may not be readily available or easily implemented.

Red Hat Linux has rated the BASH vulnerability as a 10 out of 10. U.S.-Cert has also issued an alert, referring to specific distros for updated patch info.

According to The Register, one can check if you're vulnerable to BASH bug by typing the following into your default shell:

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
env X="() { :;} ; echo busted" `which bash` -c "echo stuff"

If you see "busted", then you are at risk and should check for a released patch.

You can read more at Today's Bash bug could be breaking security for years and Patch Bash NOW: 'Shell Shock' bug blasts Linux, OS X systems wide open.