A security vulnerability on the GNU Bourne Again Shell reported Wednesday is claiming victims in the wild. The flaw – known to the tech world as CVE-2014-6271 and CVE-2014-7169 – allows a remote attacker to run arbitrary code (read malware) on a vulnerable server under certain conditions.
The most vulnerable targets to date are web servers that run Apache CGI scripts written in Bash or calling system() or popen(). Our telemetry shows the common attack scenario involves calling a vulnerable script and passing the exploit code as the User-Agent string.
An updated version of Bash released yesterday morning quickly proved to be a partial fix – it makes attacks more difficult to carry out. A couple of hours ago, however, a fix was issued for a number of Linux distros, including CentOS, Debian, Redhat, and Ubuntu. If you are running a vulnerable Linux distribution, you are advised to update immediately.
Crucially, Mac OS X computers are still vulnerable to the attack. As of the moment of writing, there is no official patch to be automatically installed. If you are a Mac OS X user and you also use Bash as your terminal application, then you might want to manually compile Bash from its sources.