Emerging Threats

Shellshock, the latest Mac OSX and Linux vulnerability and what it means for you

Authored by a Symantec employee


Security researchers have discovered a new software bug known as the “Bash Bug” or “Shellshock,” or to those more technically “in-the-know” as GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271). This bug, more correctly termed, ‘vulnerability’, potentially allows attackers to gain control over targeted computers.

Safety for every device.

Security is no longer a one-machine affair. You need a security suite that helps protect all your devices – your Windows PC, Mac, Android smartphone or your iPad.

The bug is present in a piece of computer software called, Bash, that is typically found on computers running an operating system called Linux or Unix, of which there are many variations. Generally this operating system is used to power server computers, such as the ones that many of the world’s websites run on. Also impacted are all Apple Mac computers that run Apple’s operating system, OSX. Computers running Microsoft Windows are not impacted by this vulnerability directly, but could be at risk if web servers are compromised.

Who is likely to be targeted by this bug?

There are three likely targets:

  1. We believe the primary target for this vulnerability is public facing web servers that have not yet been patched.
  2. Any computer running Apple’s Mac OSX, server or your personal computer or laptop, is also vulnerable to attack if it has not been patched. [Note: If your Apple Mac computer is running a Norton protection product on it (see full list below) it is already automatically protected from attempts to exploit this vulnerability] Also you should note that this bug does not affect computers running Microsoft Windows. They don’t run Bash.
  3. Many routers and other Internet-connected devices that are running a variation of Linux or Unix.

So, what is Bash?

Bash is a piece of software that is used to translate commands that a user types into actions that a computer can understand. In the early days of computing it was more common for users to directly enter commands; today, point and click user interfaces hide all of this. However, many websites use scripts that contain a collection of such commands to automate interaction with the underlying computer. On a Unix or Linux computer, if you have ever typed commands into a window that has a prompt that looks like this, then you are likely talking to Bash: $ []

The Bash bug allows an attacker to bypass regular security controls to insert additional unauthorized commands; which could, in turn, allow the attacker to steal data or gain control over the web server computer or other device.

The good news: It hasn’t been widely exploited… yet

So far, there is no significant evidence that shows that this bug has been exploited in the wild. However, now that researchers have brought this vulnerability to light, cyber criminals may see this as their chance to take advantage of it. Now it’s up to software companies to quickly create and implement patches and updates, before hackers can reap their unscrupulous rewards.

Am I affected by Shellshock?

We believe Web servers are the likely main targets for attack and it is likely that website owners are working quickly to patch their computers to guard against attack. Unfortunately, there is no easy way to tell which websites may have been attacked so as a general precautionary measure we recommend keeping an eye out for suspicious activity on the accounts you keep online, and periodically changing important passwords, like those to your email accounts, financial accounts and social networks.

Business owners that have professional websites should apply any available patches immediately. For more information on what to do as a business owner, please visit our Security Response Blog.

If you’re a Windows user, your personal device is not vulnerable to this bug. Still, if a web server that runs on Linux has been compromised, and it holds your personal information, you may still be affected. If your personal device or computer runs on Linux or Unix (Mac OS), you may be susceptible, particularly if you are running an un-patched version of Linux or Mac OS.

What precautions should I take to defend against Shellshock?

While the vast majority of the responsibility of thwarting cyber criminalsfrom exploiting this bug lies on software companies and website owners,however, it is extremely important to make sure that all of your softwareremains up-to-date, as it often can contain security patches that will helpkeep your data secure.

Here are a few things that consumers can do to stay protected:

For all users:

  1. We recommend keeping an eye on all of your accounts, on which you store personal information, for signs of unusual activity that may indicate that your account has been compromised.
  2. Consider changing important passwords, like those to your email account, social networking sites, and financial accounts. Can’t think of a unique password? Try our Password Generator. For important financial websites, enable 2-factor authentication. If you use Merril Lynch, Ebay, PayPal or Etrade, you can use the Symantec VIP app.
  3. Apply any available patches to routers, or any other web-enabled devices in your home, as soon as they become available. Remember though to only download patches and software from reputable sites and keep in mind that scammers will likely try to take advantage of Shellshock reports, so be sure to watch out for spam emails and suspicious links that tell you to download software.

Specifically for Mac users:

  1. Norton security products for Mac already include protection against attempts to leverage this vulnerability on a Mac. See a full list of supported products below. Don’t have security software? Check out our all-new, simplified multi-device/multi-OS solution, Norton Security.
  2. Keep an eye out for updates from Apple and be sure apply available patches.

Remember Microsoft Windows computers are not susceptible to attack using this vulnerability.

For more detailed information, you can also visit our Symantec SecurityResponse post on the Shellshock Bash bug vulnerability.

Don’t wait until a threat strikes.

Security threats and malware lurk on Windows PCs, Macs, and Android and iOS devices. If you use more than one device – like most of us do – you need an all-in-one security suite. Meet Norton Security Premium.

Enjoy peace of mind on every device you use with Norton Security Premium.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.