A vulnerability reported in the GNU Borne Again Shell (Bash) yesterday has been exploited and used to take over Web servers as part of botnet. This newly discovered security hole has been dubbed “Shellshock” and is similar to the Heartbleed bug that appeared last spring in that it allows anyone with knowledge of the vulnerability to exploit a large number of Web servers.Shellshock-BUG

Bash runs on most of the Linux/Unix platforms that power the web and is likely exploitable on many unpatched systems.

The bug which had gone unnoticed for 22 years, potentially allows hackers to take over a machine and run their own programs in the background. The National Institute of Standards and Technology has declared the vulnerability a 10 out of 10 based on severity, impact, and exploitability, but low in complexity, which means that hackers can easily wreak havoc on any unpatched server they choose.

Should Windows users care? The Web servers that power the internet run on Linux more often than any other platform. Even if you don’t run Linux directly, your business likely does, or you use Linux with any number of services you interact with on a daily basis.  Mac OS X users (including those running the most recent version of Mavericks) are, however, vulnerable.

Linux/Unix/OS X users can check (thanks Ars Technica) to see if they are vulnerable by running this simple system test from a command line.

 env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If your machine is vulnerable, you will see:

vulnerable

this is a test

If your system is already patched, or was not vulnerable:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

this is a test

Vulnerable systems should immediately update their Bash shell.  Linux Distributors are quickly releasing patches.  Additional patches may be forthcoming as there are indications that some initial solutions might be incomplete.