NZ Herald
  • Home
  • Latest news
  • Video
  • New Zealand
  • Sport
  • World
  • Business
  • Entertainment
  • Podcasts
  • Quizzes
  • Opinion
  • Lifestyle
  • Travel
  • Viva
  • Weather forecasts

Subscriptions

  • Herald Premium
  • Viva Premium
  • The Listener
  • BusinessDesk

Sections

  • Latest news
  • New Zealand
    • All New Zealand
    • Crime
    • Politics
    • Education
    • Open Justice
    • Scam Update
    • The Great NZ Road Trip
  • On The Up
  • World
    • All World
    • Australia
    • Asia
    • UK
    • United States
    • Middle East
    • Europe
    • Pacific
  • Business
    • All Business
    • MarketsSharesCurrencyCommoditiesStock TakesCrypto
    • Markets with Madison
    • Media Insider
    • Business analysis
    • Personal financeKiwiSaverInterest ratesTaxInvestment
    • EconomyInflationGDPOfficial cash rateEmployment
    • Small business
    • Business reportsMood of the BoardroomProject AucklandSustainable business and financeCapital markets reportAgribusiness reportInfrastructure reportDynamic business
    • Deloitte Top 200 Awards
    • CompaniesAged CareAgribusinessAirlinesBanking and financeConstructionEnergyFreight and logisticsHealthcareManufacturingMedia and MarketingRetailTelecommunicationsTourism
  • Opinion
    • All Opinion
    • Analysis
    • Editorials
    • Business analysis
    • Premium opinion
    • Letters to the editor
  • Sport
    • All Sport
    • OlympicsParalympics
    • RugbySuper RugbyNPCAll BlacksBlack FernsRugby sevensSchool rugby
    • CricketBlack CapsWhite Ferns
    • Racing
    • NetballSilver Ferns
    • LeagueWarriorsNRL
    • FootballWellington PhoenixAuckland FCAll WhitesFootball FernsEnglish Premier League
    • GolfNZ Open
    • MotorsportFormula 1
    • Boxing
    • UFC
    • BasketballNBABreakersTall BlacksTall Ferns
    • Tennis
    • Cycling
    • Athletics
    • SailingAmerica's CupSailGP
    • Rowing
  • Lifestyle
    • All Lifestyle
    • Viva - Food, fashion & beauty
    • Society Insider
    • Royals
    • Sex & relationships
    • Food & drinkRecipesRecipe collectionsRestaurant reviewsRestaurant bookings
    • Health & wellbeing
    • Fashion & beauty
    • Pets & animals
    • The Selection - Shop the trendsShop fashionShop beautyShop entertainmentShop giftsShop home & living
    • Milford's Investing Place
  • Entertainment
    • All Entertainment
    • TV
    • MoviesMovie reviews
    • MusicMusic reviews
    • BooksBook reviews
    • Culture
    • ReviewsBook reviewsMovie reviewsMusic reviewsRestaurant reviews
  • Travel
    • All Travel
    • News
    • New ZealandNorthlandAucklandWellingtonCanterburyOtago / QueenstownNelson-TasmanBest NZ beaches
    • International travelAustraliaPacific IslandsEuropeUKUSAAfricaAsia
    • Rail holidays
    • Cruise holidays
    • Ski holidays
    • Luxury travel
    • Adventure travel
  • Kāhu Māori news
  • Environment
    • All Environment
    • Our Green Future
  • Talanoa Pacific news
  • Property
    • All Property
    • Property Insider
    • Interest rates tracker
    • Residential property listings
    • Commercial property listings
  • Health
  • Technology
    • All Technology
    • AI
    • Social media
  • Rural
    • All Rural
    • Dairy farming
    • Sheep & beef farming
    • Horticulture
    • Animal health
    • Rural business
    • Rural life
    • Rural technology
    • Opinion
    • Audio & podcasts
  • Weather forecasts
    • All Weather forecasts
    • Kaitaia
    • Whangārei
    • Dargaville
    • Auckland
    • Thames
    • Tauranga
    • Hamilton
    • Whakatāne
    • Rotorua
    • Tokoroa
    • Te Kuiti
    • Taumaranui
    • Taupō
    • Gisborne
    • New Plymouth
    • Napier
    • Hastings
    • Dannevirke
    • Whanganui
    • Palmerston North
    • Levin
    • Paraparaumu
    • Masterton
    • Wellington
    • Motueka
    • Nelson
    • Blenheim
    • Westport
    • Reefton
    • Kaikōura
    • Greymouth
    • Hokitika
    • Christchurch
    • Ashburton
    • Timaru
    • Wānaka
    • Oamaru
    • Queenstown
    • Dunedin
    • Gore
    • Invercargill
  • Meet the journalists
  • Promotions & competitions
  • OneRoof property listings
  • Driven car news

Puzzles & Quizzes

  • Puzzles
    • All Puzzles
    • Sudoku
    • Code Cracker
    • Crosswords
    • Cryptic crossword
    • Wordsearch
  • Quizzes
    • All Quizzes
    • Morning quiz
    • Afternoon quiz
    • Sports quiz

Regions

  • Northland
    • All Northland
    • Far North
    • Kaitaia
    • Kerikeri
    • Kaikohe
    • Bay of Islands
    • Whangarei
    • Dargaville
    • Kaipara
    • Mangawhai
  • Auckland
  • Waikato
    • All Waikato
    • Hamilton
    • Coromandel & Hauraki
    • Matamata & Piako
    • Cambridge
    • Te Awamutu
    • Tokoroa & South Waikato
    • Taupō & Tūrangi
  • Bay of Plenty
    • All Bay of Plenty
    • Katikati
    • Tauranga
    • Mount Maunganui
    • Pāpāmoa
    • Te Puke
    • Whakatāne
  • Rotorua
  • Hawke's Bay
    • All Hawke's Bay
    • Napier
    • Hastings
    • Havelock North
    • Central Hawke's Bay
    • Wairoa
  • Taranaki
    • All Taranaki
    • Stratford
    • New Plymouth
    • Hāwera
  • Manawatū - Whanganui
    • All Manawatū - Whanganui
    • Whanganui
    • Palmerston North
    • Manawatū
    • Tararua
    • Horowhenua
  • Wellington
    • All Wellington
    • Kapiti
    • Wairarapa
    • Upper Hutt
    • Lower Hutt
  • Nelson & Tasman
    • All Nelson & Tasman
    • Motueka
    • Nelson
    • Tasman
  • Marlborough
  • West Coast
  • Canterbury
    • All Canterbury
    • Kaikōura
    • Christchurch
    • Ashburton
    • Timaru
  • Otago
    • All Otago
    • Oamaru
    • Dunedin
    • Balclutha
    • Alexandra
    • Queenstown
    • Wanaka
  • Southland
    • All Southland
    • Invercargill
    • Gore
    • Stewart Island
  • Gisborne

Media

  • Video
    • All Video
    • NZ news video
    • Business news video
    • Politics news video
    • Sport video
    • World news video
    • Lifestyle video
    • Entertainment video
    • Travel video
    • Markets with Madison
    • Kea Kids news
  • Podcasts
    • All Podcasts
    • The Front Page
    • On the Tiles
    • Ask me Anything
    • The Little Things
    • Cooking the Books
  • Cartoons
  • Photo galleries
  • Today's Paper - E-editions
  • Photo sales
  • Classifieds

NZME Network

  • Advertise with NZME
  • OneRoof
  • Driven Car Guide
  • BusinessDesk
  • Newstalk ZB
  • What the Actual
  • Sunlive
  • ZM
  • The Hits
  • Coast
  • Radio Hauraki
  • The Alternative Commentary Collective
  • Gold
  • Flava
  • iHeart Radio
  • Hokonui
  • Radio Wanaka
  • iHeartCountry New Zealand
  • Restaurant Hub
  • NZME Events

SubscribeSign In
Advertisement
Advertise with NZME.
Home / Technology

Here's what you need to know about Shellshock vulnerability

By Lily Hay Newman
Slate·
28 Sep, 2014 12:19 AM5 mins to read

Subscribe to listen

Access to Herald Premium articles require a Premium subscription. Subscribe now to listen.
Already a subscriber?  Sign in here

Listening to articles is free for open-access content—explore other articles or learn more about text-to-speech.
‌
Save

    Share this article

Photo / Thinkstock

Photo / Thinkstock

Here’s what you need to know. (Windows users, you’re OK!)

This week you may have heard about something called Shellshock. It's a vulnerability in something else called Bash. Oh, and Bash is a Unix shell. And the Shellshock vulnerability may be larger than Heartbleed-the bug in a widely used open-source encryption library that was revealed earlier this year. What the heck is going on? Let's talk it out.

First of all, Unix is an operating system that appears in a lot of different forms. Apple's OS X operating systems, for example, are Unix-based, but Unix is also widely used in servers and other networked devices like modems or security cameras. You run into it much more often than you think.

The shell

A Unix shell is your window into how the operating system is actually running. Instead of the graphical user interface (the thing we are usually interacting with on our personal computers), you type text directions into what's called a command line, and instruct the computer to execute tasks. And you're usually using a Unix shell like Bash through what's called a terminal emulator. That's why the command line program in Apple's OS X operating systems is called Terminal.

Advertisement
Advertise with NZME.
Advertisement
Advertise with NZME.

The vulnerability

OK, now let's get to the vulnerability. Bash is great for accessing computers remotely because it's text-only. If you have a keyboard, you're good to go. But that also potentially makes it easy for a malicious hacker to remotely access computers that she shouldn't. If there's a vulnerability in Bash, she can exploit it. And there is.

The bug

Essentially, the bug comes from how Bash handles what are called "environmental variables." If you know about the vulnerability, you can trick Bash into executing commands that it shouldn't even be registering as commands. The malicious command can be sort of tucked into text that Bash should ignore. And it can direct a computer to download malware or wreak all kinds of havoc.

The reason it's important to understand what Unix and Bash are is so you can begin to grasp how widely Bash is distributed. It's the default Unix shell command line processor in OS X, Linux, and other operating systems. It's not used in most Microsoft software-so the Windows operating systems and websites built with Microsoft tools should be safe from this vulnerability. But Bash has been around since 1989, so it's in a lot of devices.

Even worse in terms of controlling this bug, Bash is used on the Internet by software that automatically interacts with other programs in certain prescribed situations. For example, there's no human involved when a website queries a server for updated content.

Patches

At this point, patches are available for Unix and Linux. Apple is presumably scrambling to deliver one as well. In a statement to iMore, an Apple representative said, "The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. ... With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced Unix services."

Advertisement
Advertise with NZME.

Even so, sites like Ars Technica and Krebs on Security are reporting evidence that hackers were exploiting the bug before it was discovered and that new ones are jumping on the bandwagon every moment. And it seems likely that someone, or lots of people, will create worms that exploit the bug and spread between vulnerable computers. Lovely.

People have been saying that Shellshock-named because it's a vulnerability in a Unix shell, but you probably already figured that out-is a bigger bug than Heartbleed. One reason it seems like such a daunting problem is that much of the vulnerable software lives out of public sight. With Heartbleed, we could all take action. We waited for websites to patch the bug, and then we changed our passwords. But unless you are a router manufacturer or run a server farm, you may not know how to go about helping. And you may not be able to at all.

To give you a sense of how concerned people are, Robert Graham of Errata Security wrote that the bug can hide "deep within a website." And Rich Mogull, the CEO of the cybersecurity firm Securosis, told Ars Technica that:

Bash is embedded and accessed in so many ways that we cannot fully understand its depth of use. Many systems you would never think of as having a command line use bash to run other programs. ... We cannot possibly understand all the ways an attacker could interact with Bash to exploit this vulnerability.

The future

So what's gonna happen now? Servers and embedded devices will increasingly receive patches that eliminate the threat, but it will take a long time before Shellshock is a nonissue because Bash has just been around for so long. It's everywhere. For individuals, take you for example, the threat is probably fairly low, but there could be flare-ups where a trove of data gets compromised or personal accounts are accidentally exposed to malware because of Shellshock.

Discover more

Business

Kiwi e-bodyguard: Govt an online threat

08 Dec 10:00 PM

And if you're just feeling fed up with all of these vulnerabilities, steel yourself and keep in mind what Slate's Bitwise writer David Auerbach wrote after the discovery of Heartbleed: "Are there other zero-day bugs in ... core infrastructure like Apache or BIND? Almost certainly."

- Slate

Save

    Share this article

Latest from Technology

Premium
Business|markets

Allbirds predicts turnaround - finally - if lucky break on tariffs holds true

09 May 12:23 AM
Premium
Business|personal finance

‘Rip-off’: App developer and Consumer say fees will stifle open banking

08 May 11:00 PM
World

Google shares plunge 7% as Apple exec cites AI competition

07 May 06:37 PM

“Not an invisible footprint”: Why technology supply chains need optimising

sponsored
Advertisement
Advertise with NZME.

Latest from Technology

Premium
Allbirds predicts turnaround - finally - if lucky break on tariffs holds true

Allbirds predicts turnaround - finally - if lucky break on tariffs holds true

09 May 12:23 AM

PLUS: Waterproof Allbirds - and some "professional" sneakers for the office.

Premium
‘Rip-off’: App developer and Consumer say fees will stifle open banking

‘Rip-off’: App developer and Consumer say fees will stifle open banking

08 May 11:00 PM
Google shares plunge 7% as Apple exec cites AI competition

Google shares plunge 7% as Apple exec cites AI competition

07 May 06:37 PM
Nostalgia flows as Skype shuts down for good

Nostalgia flows as Skype shuts down for good

06 May 07:29 AM
Deposit scheme reduces risk, boosts trust – General Finance
sponsored

Deposit scheme reduces risk, boosts trust – General Finance

NZ Herald
  • About NZ Herald
  • Meet the journalists
  • Newsletters
  • Classifieds
  • Help & support
  • Contact us
  • House rules
  • Privacy Policy
  • Terms of use
  • Competition terms & conditions
  • Our use of AI
Subscriber Services
  • NZ Herald e-editions
  • Daily puzzles & quizzes
  • Manage your digital subscription
  • Manage your print subscription
  • Subscribe to the NZ Herald newspaper
  • Subscribe to Herald Premium
  • Gift a subscription
  • Subscriber FAQs
  • Subscription terms & conditions
  • Promotions and subscriber benefits
NZME Network
  • The New Zealand Herald
  • The Northland Age
  • The Northern Advocate
  • Waikato Herald
  • Bay of Plenty Times
  • Rotorua Daily Post
  • Hawke's Bay Today
  • Whanganui Chronicle
  • Viva
  • NZ Listener
  • What the Actual
  • Newstalk ZB
  • BusinessDesk
  • OneRoof
  • Driven CarGuide
  • iHeart Radio
  • Restaurant Hub
NZME
  • About NZME
  • NZME careers
  • Advertise with NZME
  • Digital self-service advertising
  • Book your classified ad
  • Photo sales
  • NZME Events
  • © Copyright 2025 NZME Publishing Limited
TOP