Dangerous “Bash Bug” potentially putting IT systems into shellshock

 

Call it the “Bash bug” or “Shellshock,” either adjective describes its capabilities perfectly. Discovery of this new security bug is causing uproar as virtually everything in its path, from major servers to connected devices are potentially vulnerable.

The security flaw discovered nearly two and half decades after its creation gains access to operating systems through command prompts.

At a high level here is how it works. Normally when creating a variable via the command line such as X = “Hello World,” this can only ever be saved as a string which is just plain text. The specific bug allows an attacker to add a specific set of characters before the text and cause the text after those characters to be executed as command, which is very bad.

Anything following this “bad” text will be executed, which opens up the door for an attacker to take over your system.

Now where this gets scary is web servers use the command line shell to execute some commands. If a web server was vulnerable to this exploit, an attacker could remotely execute commands on that server and do something dangerous like install malware. Once they can execute commands via the command line, they can cause a lot of problems.

The good news is we updated our servers the day the exploit was leaked and patched, on September 24th.  So if your online store is hosted with Miva directly, then you don’t have to worry about Shellshock any longer. However, this bug is as serious of a security breech as can exist and should not be overlooked. If your hosting is with someone other than Miva be sure to contact your hosting company to ensure you are not in danger.

To learn more on exactly how the Bash bug works, watch Tom Scott’s 4 minute breakdown of what he calls the “Shellshock Bug” here.