I am having problems understanding the following code, which is the Shell Shock 'proof of vulnerability' code. Can someone explain it to me? Specially, this part "() { :;};"

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

what env does?
From the docs, env runs programs in modified environment

env [OPTION]... [-] [NAME=VALUE]... [COMMAND [ARG]...]

it clear that x is a name/variable and () { :;}; echo vulnerable' is the value fo the variable

now what is () { :;};?
when a function is exported, bash stores its defenition as value to the environment variable

$ x() {echo hello world;}
$ export x
$ env | grep x
x=() {echo hello world};

now when x='() {:;}' means similar as writing

$ x() {:;}
$ export x
$ env | grep x

That is we indirectly made export x onto the new environmnet created by the env
Here : is a null statement in bash

Hope it helps