Linux Mac Security

Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux

Matthew Hughes 26-09-2014

A serious security issue with the Bash shell – a major component of both most UNIX-like operating systems – has been discovered, with significant implications for computer security worldwide.


The issue is present in all versions of the Bash scripting language up to version 4.3, which effects a majority of Linux machines, and the entirety of computers running OS X. and can see an attacker exploiting this issue to launch their own code.

Curious about how it works and how to protect yourself? Read on for more information.

What Is Bash?

Bash (standing for Bourne Again Shell) is the default command line interpreter used on most Linux and BSD distributions, in addition to OS X. It is used as a method of launching programs, using system utilities and interacting with the underlying operating system by launching commands.

In addition, Bash (and most Unix shells) allow the scripting of UNIX functions in small scripts. Similarly to most programming languages – such as Python, JavaScript and CoffeeScript CoffeeScript Is JavaScript Without The Headaches I've never really liked writing JavaScript all that much. From the day I wrote my first line using it, I've always resented that whatever I write in it always ends up looking like a Jackson... Read More – Bash supports features common with most programming languages, such as functions, variables and scope.



Bash is near ubiquitous, with many people using the term ’Bash’ to refer to all command line interfaces, regardless of whether they’re actually using the Bash shell. And if you’ve ever installed WordPress or Ghost through the command line Signed Up for SSH-only Web Hosting? Don't Worry - Easily Install Any Web Software Don’t know the first thing about operating Linux through its powerful command line? Worry no more. Read More , or tunneled your web traffic through SSH How to Tunnel Web Traffic with SSH Secure Shell Read More , you’ve quite possibly used Bash.

It’s everywhere. Which makes this vulnerability all the more worrying.

Dissecting The Attack

The vulnerability – discovered by French security researcher Stéphane Chazleas – has caused a great deal of panic in Linux and Mac users worldwide, as well as attracted attention in the technology press. And for good reason too, as Shellshock could potentially see attackers gaining access to privileged systems and executing their own malicious code. It’s nasty.

But how does it work? At the lowest possible level, it exploits how environment variables work. These are used both by UNIX-like systems and Windows What Are Environment Variables & How Can I Use Them? [Windows] Every now and then I'll learn a little tip that makes me think "well, if I known that a year ago then it'd have saved me hours of time". I vividly remember learning how to... Read More to store values that are required for the computer to function properly. These are available globally available across the system and can either store a single value – such as the location of a folder or a number – or a function.



Functions are a concept that is found in software development. But what do they do? Simply put, they bundle a set of instructions (represented by lines of code), which can later be executed by either another program or a user.

The issue with the Bash interpreter lies in how it handles storing functions as environment variables. In Bash, the code found in functions is stored between a pair of curly braces. However, if an attacker leaves some Bash code outside of the curly brace, it will then be executed by the system. This leaves the system wide-open for a family of attacks known as code-injection attacks.

Researchers have already found potential attack vectors by exploiting how software such as the Apache web server How To Set Up An Apache Web Server In 3 Easy Steps Whatever the reason is, you may at some point want to get a web server going. Whether you want to give yourself remote access to certain pages or services, you want to get a community... Read More , and common UNIX utilities such as WGET Mastering Wget & Learning Some Neat Downloading Tricks Sometimes it's just not enough to save a website locally from your browser. Sometimes you need a little bit more power. For this, there's a neat little command line tool known as Wget. Wget is... Read More interact with the shell and use environment variables.


How Do You Test For It?

Curious to see if your system is vulnerable? Finding out is easy. Just open up a terminal, and type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test”

If your system is vulnerable, it will then output:

 this is a test

Whilst an unaffected system will output:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

How Do You Fix It?

By the time of publication, the bug – which was discovered on the 24th of September, 2014 – should have been fixed and patched. You simply need to update your system. Whilst Ubuntu and Ubuntu variants use Dash as their main shell, Bash is still used for some system functionality. As a result, you’d be well advised to update it. To do that, type:

sudo apt-get update
sudo apt-get upgrade

On Fedora and other Red Hat variants, type:

sudo yum update

Apple is yet to release a security fix for this, although if they do, they will release it through the app store. Ensure you are regularly checking for security updates.


Chromebooks – which use Linux as their foundation, and can run most distros without much fuss How to Install Linux on a Chromebook Here's how to install Linux on your Chromebook so you can start using other apps like Skype, VLC Media Player, and more! Read More – use Bash for certain system functions and Dash as their main shell. Google should should update in due season.

What To Do If Your Distro Hasn’t Fixed Bash Yet

If your distro is yet to release a fix for Bash, you might want to either consider changing distributions, or installing a different shell.

I’d recommend beginners check out Fish Shell. This comes with a number of features that aren’t currently available in Bash and make it even more pleasant to work with Linux. These include autosuggestions, vibrant VGA colors and the ability to configure it from a web interface.

Fellow MakeUseOf author Andrew Bolster also recommends you check out zSH, which comes with tight integration with the Git version control system, as well as autocomplete.

The Scariest Linux Vulnerability Yet?

Shellshock has already been weaponized. Within one day of the vulnerability being disclosed to the world, it had already been used in the wild to compromise systems. More troublingly, it’s not just home users and businesses that are vulnerable. Security experts are predicting that the bug will also leave military and government systems at risk. It’s almost as nightmarish as Heartbleed was.

So, please. Update your systems, okay? Let me know how you get on, and your thoughts about this piece. Comments box is below.

Photo Credit:zanaca (IMG_3772.JPG)

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. DJ Shiva
    December 29, 2014 at 3:07 pm

    Okay, so I am running Mac OSX 10.6.8 still, Terminal says the vulnerability is there, but no update is available on this for me. Now what?

  2. Anonymous
    December 25, 2014 at 9:10 am

    Shrishail is correct but it seems some quotes are changed during the copy-paste.
    Before pasting in Terminal, change all curly-quotes into straight-single quote.

    env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

  3. Anonymous
    December 25, 2014 at 9:10 am

    Shrishail is correct but it seems some quotes are changed during the copy-paste.
    Before pasting in Terminal, change all curly-quotes into straight-single quote.

    env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

  4. Shrishail
    October 24, 2014 at 4:11 am

    This is the correct one...
    env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

  5. robynsveil
    October 18, 2014 at 12:29 am

    I'm curious: doesn't *anyone* find it unspeakably odd that this so-called vulnerability has existed for as long as BASH has been around, and only now that this potential problem has come to light have evil-doers weaponised it? Really? Only now?

    Or, is this more about network admins doing their job properly and preventing this sort of potential issue becoming a real issue.

    Based on your:
    " Within one day of the vulnerability being disclosed to the world, it had already been used in the wild to compromise systems."
    statement, Matthew, I followed your link on the so-called "Exploits" and got Liam Tung, a strong Microsoft proponent, who himself linked to the AusCert missive, which simply said:
    "Original Bulletin:

    Comment: AusCERT has received reports that this vulnerability is
    currently being exploited in the wild. Administrators should patch
    vulnerable systems as soon as possible."

    No links, no actual incidents, "have received reports" is it. So, your comment on a comment on a comment is at this point without basis. Further searches have revealed: "The Australian Computer Emergency response team AusCERT last week said there had been 'lots of chatter' in various parts of the internet about the bug, along with guides on how to exploit it, including code to cut and paste and try out." No actual evidence it has been used to compromise a system, just chatter.

    Which is what this is. Chatter.

    As opposed to 56 million actual credit-cards compromised in on retailer alone, this whole proof-of-concept potential issue hasn't seen any actual victims yet.

  6. Anonymous
    October 5, 2014 at 2:22 pm


    bash --version
    GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)


    bash --version
    GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)

  7. Shame
    October 5, 2014 at 12:49 am

    Did cut&paste and got > same as comments above. Edited and retyped all single and double quotes as below. Running Fedora 19 with bash default shell. So guess not vunerable as per 2nd test below

    xxx$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    this is a test

    also after same editing:

    xxx$ env x='() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `BASH_FUNC_x'

  8. Anonymous
    September 30, 2014 at 11:11 pm

    I read these alerts and then check my Apple updates, or immediately receive an Apple update alert and it’s now 6 days after this was first discovered (?). Nada !

  9. Anonymous
    September 30, 2014 at 12:39 pm

    I support my wife's Mac w/ OSX 10.9.5. She only uses OSX's GUI. I want to protect her from threats. I'm running Symantec NIS 5.6 for Mac with up-to-date definitions. It is her production machine and I treat it accordingly. I ran your vulnerability test on a Bash cl and got the 'vulnerable' return for bash-3.2. However, I am cautious about using your 'sudo apt-get update/upgrade' prior to an OSX system update from Apple. Suggestions about best way to protect native OSX 10.9.5 from ShellShock?

  10. hotdoge3
    September 30, 2014 at 4:07 am

    Still more vulnerabilities in bash? Shellshock becomes whack-a-mole

    hard to fix and 20 Years to find

  11. Mark S
    September 28, 2014 at 4:44 pm

    I'm running Linux Mint 17 XFCE edition and i open up a terminal and put in env x='() { :;}; echo vulnerable’ bash -c “echo this is a test” and all i get is this > just a arrow nothing more so is it fixed or what

    • Matthew H
      September 29, 2014 at 3:52 pm

      Hey! Try again and let me know how you find it!

  12. Edna
    September 28, 2014 at 3:24 am

    While humans create programs there is always the possibility of bugs that can cause problems and vulnerabilities down the track. That is why I use Puppy Linux! See puppies aren't just cute ;-)

  13. Patrick Muldoon
    September 28, 2014 at 2:29 am

    While ZSH is awesome (you can also check out the fish shell). Just using it isn't going to solve all your Bash issues. On some linux distros /bin/sh is actually bash, which causes this to be even more destructive. So even if you use zsh as your default (like I do) you will need to update your system, as bash can be used in lots of places you aren't aware of.

    We've seen requests in or logs of people trying to exploit this fairly soon after it was announced (We are BSD shop, and don't install bash by default as part of our stack).

  14. Christian C
    September 27, 2014 at 5:40 pm

    The problem copying and pasting the code in the article has now been fixed. Apologies to all concerned.

    • Matthew H
      September 27, 2014 at 8:56 pm

      Thanks Christian!

  15. Andrew Kelley
    September 27, 2014 at 12:27 pm

    One can argue the fact that Linux may not be as safe as any other system, but the fact remains that when a vulnerability IS found in Linux, the community of millions (more times than not) can effect a fix virtually overnight and within a mere 24 hour period the fixes are included in system updates. Proprietary systems on the other hand have to scramble a relatively small handful of their entrusted code workers to effect a repair and exactly how long it takes can vary. Even with a possible vulnerability Linux is still (and always will be) my first choice.

    • Matthew H
      September 27, 2014 at 8:57 pm

      Indeed. Thanks for your comment Andrew! :)

  16. KT
    September 27, 2014 at 1:11 am

    Linux is finally in the big leagues! Two major threats so far, once we get about a half a million more, we'll be as big as Windows! (Just trying to make light of a serious situation). I updated my pclinuxos mate yesterday and did the terminal check, seems good. I just replaced my wife's pclinuxos full monty with the new Zorin and it's up to date too. Hopefully all stays well. Thanks for the head's up.

    • Matthew H
      September 27, 2014 at 8:48 pm

      No worries. Glad you enjoyed the piece.

  17. D'Jasper Probincrux III
    September 26, 2014 at 8:40 pm

    What happens when you sit around all day bashing Windows security. What goes around comes around. Linux community got what they deserved. Heart bleed now this. Haha! I hope more to come!

    • Matthew H
      September 27, 2014 at 8:48 pm

      I wouldn't be too celebratory. *NIX is everywhere, from banking to embedded systems. This affects you, even if you don't immediately realize it.

    • J V
      October 1, 2014 at 1:53 am

      "Dog bites man isn't news. Man bites dog, is news."

      It's been fixed already, no need to wait for Patch Tuesday.

  18. Simeon M
    September 26, 2014 at 8:11 pm

    "It’s almost as nightmarish as Heartbleed was."
    It is WAY more dangerous and nightmarish!

    • Matthew H
      September 27, 2014 at 8:46 pm

      Arguably, yeah.

  19. James Bruce
    September 26, 2014 at 7:57 pm

    This doesn't explain how one would actually take advantage of OS X though. From what I've heard you can use common CGI scripts to exploit a web server with this , but for a home user running OSX ?

    • Matthew H
      September 27, 2014 at 1:32 pm

      Two words: 'compromised DHCP'.

    • James B
      September 27, 2014 at 3:07 pm

      So "never gonna happen" then.

    • Matthew H
      September 27, 2014 at 8:46 pm

      Connect to a network with a compromised DHCP server? Totally possible.

  20. Jobin Joseph
    September 26, 2014 at 6:02 pm
    • Matthew H
      September 27, 2014 at 10:37 pm

      Cool. Cheers for your comment Jobin!

  21. stuart
    September 26, 2014 at 4:45 pm

    i also got stuck on the > prompt
    this is just due to copying and pasting (HTML markups and such)
    what to do is copy the command into a text editor, and edit the last double quote
    copy and paste the below

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    • Matthew H
      September 27, 2014 at 2:06 pm

      Thanks Stuart!

  22. Andrew B
    September 26, 2014 at 4:13 pm

    Anyone running any Debian Derivative (Ubuntu, Mint, etc) should enable automatic security upgrades as per

    • Matthew H
      September 27, 2014 at 1:48 pm

      Sage advice. Thanks Andrew.

    • dragonmouth
      September 30, 2014 at 12:08 pm

      Don't you mean "Anyone running any UBUNTU derivative"

  23. David S
    September 26, 2014 at 4:06 pm

    "man bash" is hella long. To find out the version of bash you're running:
    bash --version

    • Matthew H
      September 27, 2014 at 1:31 pm

      Good shout!

  24. Mohammed Ashif
    September 26, 2014 at 4:05 pm

    bash: vulnerable: command not found :(

    • Matthew H
      September 27, 2014 at 1:31 pm

      Did you run:
      env x='() { :;}; echo vulnerable' bash -c "echo this is a test”

      Or did you just type 'vulnerable'?

  25. MrX
    September 26, 2014 at 3:49 pm

    When I run env x='() { :;}; echo vulnerable' bash -c "echo this is a test” on my server I get nothing. It just sits on >

    Then again i've done all my server updates.

    • Andrew B
      September 26, 2014 at 4:12 pm

      There was a 'sneaky' version of this exploit that the original version didn't catch

      [Broken URL Removed]

    • Sudeepto D
      September 26, 2014 at 4:15 pm

      I was also getting stuck on >

      Use the below command I copied from the article from on same topic.

      env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    • Martin Harvey
      September 26, 2014 at 4:19 pm

      Me too but I'm having an issue on the formatting - where are there (any) spaces for instance

    • Lee
      September 26, 2014 at 7:20 pm

      I had the same issue. Paste the command again, but backspace the extra whitespace after the last quote mark, then hit enter.

    • Matthew H
      September 27, 2014 at 10:16 pm

      Sorry! Try copying the code again. We changed some formatting in the snippet.

    • Phani Karan R
      September 28, 2014 at 6:13 am

      Try this

      env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"