If you’ve been reading any IT related news over the last week, chances are you’ll be quite familiar with the Shellshock Bash bug which everyone has been talking about. The Shellshock Bash bug affects Bash, which at it’s basic core is an interpreter for Linux and Unix systems. Put simply, the Shellshock bug has the ability to let unknown users execute commands using Bash on desktops, servers and embedded systems all over the world – scary stuff.
If you’re wanting a complete run-down on Shellshock, the way it works and it’s implications, there’s an excellent run-down done by Troy Hunt, which you can read on his website.
ChromeOS at its core runs a Linux kernel and parts intersect with components which may be affected by the bug. But, because of the quite secure design of ChromeOS, it’s not really much to worry about, unless you’re running Developer mode. In Developer mode, there is a possibility that the Crosh shell could be impacted by the bug, but Google is on it already. Chromebook Community manager Andrea, has commented in the Chromebook Central product forum, advising:
The vast majority of users running Chrome OS were not affected by this issue. The only place there is a potential vulnerability is in conjunction with crosh, which must be started manually and does not allow access to the vulnerable functionality. We are releasing an update which will remediate the risk for crosh. Google takes security very seriously and takes every step to ensure the safety of our users and their data. We constantly monitor for security vulnerabilities, and will make the appropriate patches as quickly as possible.
Appreciate you taking the time to inquire!
So, we can expect something for the Developer channel of ChromeOS quite soon.
If you’re running Developer mode, there’s a good possibility you’re running Ubuntu through Crouton, or ChrUbuntu, in which case you may want to check your system using steps outlined on the Ubuntu forums .
The Shellshock Bash bug is no laughing matter, if you thought heartbleed was bad, this is worse. If you are using developer mode, and you’re worried, perhaps changing back to stable or Beta channels till the fix is released is a good idea.