Linux and MAC OS X users need to be aware that a critical flaw in the “Bourne Again Shell” (BASH) that processes commands may allow remote attackers to execute arbitrary code. The vulnerability is being referred to as “Shellshock” and is being taken very seriously. Homeland Security and the Federal Financial Institutions Examination Council (FFIEC) among others have issued urgent alerts on Shellshock.
Bash is often used as the default desktop and server shell for entering commands. For Windows users think DOS Command Box. This can impact both desktop and server users, but the potential danger for servers is clearly higher.
This flaw allows attackers who can provide specially crafted environment variables containing arbitrary commands to execute on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways. Homeland Security has rated this as “high impact” with a “low skill level” required to implement.
Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be affected
BASH is frequently used on Linux and Unix web servers and could leave web applications extremely vulnerable to attack. Patches have been released to fix this vulnerability by major Linux vendors for affected versions.