{"id":2899,"date":"2014-09-25T00:00:00","date_gmt":"2014-09-25T00:00:00","guid":{"rendered":"http:\/\/otava.test\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/"},"modified":"2014-09-25T00:00:00","modified_gmt":"2014-09-25T00:00:00","slug":"what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/","title":{"rendered":"What to do about Bash bug, which could pose bigger threats than Heartbleed"},"content":{"rendered":"

Cybersecurity experts are saying a bug in the widely-used command prompt software Bash could be a bigger threat to users than the Heartbleed bug that surfaced earlier this year. The vulnerability affects Unix-based operating systems, including Linux and Apple\u2019s Mac OS X.<\/p>\n

The bug \u2013 which has picked up the moniker Shellshock \u2013 allows for malicious code execution to take over an operating system and access information. Patches have been issued by many of the major Linux distribution vendors.<\/p>\n

Security expert Robert Graham, who has extensive coverage of the bug on his Errata Security blog<\/a>,\u00a0 describes why it is so worrisome:<\/p>\n

The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash\u00a0bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.<\/em><\/p>\n

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.<\/p><\/blockquote>\n

So, what to do?<\/p>\n

ArsTechnica.com published a test<\/a> to determine if a Linux or Unix system is vulnerable:<\/p>\n

To check your system, from a command line, type:<\/p>\n

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”<\/em><\/p>\n

If the system is vulnerable, the output will be:<\/p>\n

vulnerable<\/em><\/p>\n

this is a test<\/em><\/p>\n

An unaffected (or patched) system will output:<\/p>\n

bash: warning: x: ignoring function definition attempt<\/em><\/p>\n

bash: error importing function definition for `x’<\/em><\/p>\n

this is a test<\/em><\/p>\n

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case, ArsTechnica.com suggests.<\/p>\n

David Kennedy, security expert and CEO of northeastern Ohio\u2019s TrustedSec, also strongly recommends updating systems<\/a>.<\/p>\n

The TrustedSec blog offers this local system test to see if you are vulnerable:<\/p>\n

env x='() { :;}; echo Your system is vulnerable\u2019 bash -c \u201cecho Test script\u201d<\/em><\/p>\n

However, Graham provides this somber note: \u201cThere’s little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug. However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash\u00a0patch. And, since most of them can’t be patched, you are likely screwed.\u201d<\/p>\n

\n

RELATED CONTENT<\/strong>
\nBridging the software and infosec professional chasm<\/a>
\nEncryption video series<\/a>
\n White paper: Encryption of Cloud Data<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity experts are saying a bug in the widely-used command prompt software Bash could be a bigger threat to users than the Heartbleed bug that surfaced earlier this year. The vulnerability affects Unix-based operating systems, including Linux and Apple\u2019s Mac OS X. The bug \u2013 which has picked up the moniker Shellshock \u2013 allows for malicious code execution to take over an operating system and access information. Patches have been issued by many of the major Linux distribution vendors. Security expert Robert Graham, who has extensive coverage of the bug on his Errata Security blog,\u00a0 describes why it is so worrisome: The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash\u00a0bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable. The second reason is that while the known systems…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[59],"tags":[],"other_category":[],"class_list":["post-2899","post","type-post","status-publish","format-standard","hentry","category-information-technology-tips"],"acf":[],"yoast_head":"\nWhat to do about Bash bug, which could pose bigger threats than Heartbleed | OTAVA<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What to do about Bash bug, which could pose bigger threats than Heartbleed\" \/>\n<meta property=\"og:description\" content=\"Cybersecurity experts are saying a bug in the widely-used command prompt software Bash could be a bigger threat to users than the Heartbleed bug that surfaced earlier this year. The vulnerability affects Unix-based operating systems, including Linux and Apple\u2019s Mac OS X. The bug \u2013 which has picked up the moniker Shellshock \u2013 allows for malicious code execution to take over an operating system and access information. Patches have been issued by many of the major Linux distribution vendors. Security expert Robert Graham, who has extensive coverage of the bug on his Errata Security blog,\u00a0 describes why it is so worrisome: The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash\u00a0bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable. The second reason is that while the known systems...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2014-09-25T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"What to do about Bash bug, which could pose bigger threats than Heartbleed\",\"datePublished\":\"2014-09-25T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/\"},\"wordCount\":501,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"articleSection\":[\"Information Technology Tips\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/\",\"url\":\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/\",\"name\":\"What to do about Bash bug, which could pose bigger threats than Heartbleed | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2014-09-25T00:00:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What to do about Bash bug, which could pose bigger threats than Heartbleed\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"What to do about Bash bug, which could pose bigger threats than Heartbleed | OTAVA","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/","og_locale":"en_US","og_type":"article","og_title":"What to do about Bash bug, which could pose bigger threats than Heartbleed","og_description":"Cybersecurity experts are saying a bug in the widely-used command prompt software Bash could be a bigger threat to users than the Heartbleed bug that surfaced earlier this year. The vulnerability affects Unix-based operating systems, including Linux and Apple\u2019s Mac OS X. The bug \u2013 which has picked up the moniker Shellshock \u2013 allows for malicious code execution to take over an operating system and access information. Patches have been issued by many of the major Linux distribution vendors. Security expert Robert Graham, who has extensive coverage of the bug on his Errata Security blog,\u00a0 describes why it is so worrisome: The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash\u00a0bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable. The second reason is that while the known systems...","og_url":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/","og_site_name":"OTAVA","article_published_time":"2014-09-25T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"What to do about Bash bug, which could pose bigger threats than Heartbleed","datePublished":"2014-09-25T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/"},"wordCount":501,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"articleSection":["Information Technology Tips"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/","url":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/","name":"What to do about Bash bug, which could pose bigger threats than Heartbleed | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2014-09-25T00:00:00+00:00","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/what-to-do-about-bash-bug-which-could-pose-bigger-threats-than-heartbleed\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"What to do about Bash bug, which could pose bigger threats than Heartbleed"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=2899"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2899\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=2899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=2899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=2899"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=2899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}