Google, Amazon and others react to Shellshock flaw with patches and advice

Linux vendors and big web service providers are racing to mitigate the impact of the Shellshock bug, which affects millions if not billions of systems ranging from Linux desktops and servers to Apple computers running Mac OS X, and many internet-of-things devices.

This vulnerability, which affects the widely used “bash” shell, or command line interface, affects Unix-based systems. It may have been around for as long as 25 years — while it will be impossible to know about most historical exploitations, if indeed they exist, its public exposure this week means criminals will be scrambling to take advantage of it.

Unfortunately, that’s easy for them to do, and this could mean stealing information, propagating malware across systems and taking over users’ computers. Shellshock is really, really nasty, and here’s a run-down of the most important reactions we’ve seen so far:

  • [company]Google[/company] has “taken steps to fix the bug in both its internal servers and commercial cloud services,” the Wall Street Journal reported, quoting an unnamed source. The firm also issued a security bulletin.
  • [company]Amazon[/company] Web Services has issued a bulletin advising those of its customers who use Amazon’s Linux image, or AMI, on how to update it to a patched version.
  • [company]Apple[/company] has claimed most OS X users are not at risk of remote exploits, unless they “configure advanced UNIX services.” However, experts have recommended disabling remote log-in for such systems until the company releases the patch it’s working on. [EDIT, September 30: Apple has released its patch.]
  • [company]Red Hat[/company], which was the first outfit to be notified of the vulnerability, has issued a couple of patches for its server and enterprise Linux products. One, for Red Hat Enterprise Linux (RHEL) versions 5 through 7, seems to be alright. However, the company has warned that the other is incomplete – though it’s still better than nothing.
  • Debian Linux users on the stable “wheezy” distribution should update their bash packages, and Ubuntu users also have updates to make.
  • Governments, such as those of the U.K. and U.S., are trying to mitigate the problem, which leaves many of their systems vulnerable.

I’ll update this list as and when new information comes in. However, as far as completely containing the Shellshock fallout goes, don’t get your hopes up too much. The affected bash shell is so widely used, with so many systems using it unlikely to see patches — I’m looking at you, smart lightbulbs, thermostats and the like — that mitigation will almost certainly remain limited.

This article was updated at 9.15am PT to include a link to Google’s security bulletin.
Gigaom illustration adapted from Purestock/Thinkstock.