Security researchers who discovered the “Bash” computer bug Wednesday warn that the flaw could affect millions of Internet users. Also known as “Shellshock,” the hack uses flawed coding to take control of websites. Unlike with the damaging Heartbleed hack earlier this year, though, users trying to protect themselves from this one can do little more than wait.
Shellshock essentially enables hackers to exploit a security vulnerability in Bash, a Unix shell that millions of Web-connected devices rely upon to bring computers, phones and other Wi-Fi-ready devices online. Unix is best thought of as a collection of software tools used by Web developers, though the average Internet user likely has no idea how popular this kind of software is.
Robert Graham, an online security expert, told CNET that Shellshock is a more serious problem than Heartbleed because “the bug interacts with other software in unexpected ways.” Heartbleed, disclosed in April, allowed hackers to potentially steal information from 66 percent of the Internet’s active websites by tricking them into revealing passwords used to access and protect information stored on the sites.
“We’ll never be able to catalogue all the software out there that is vulnerable to the Bash bug,” Graham told CNET of the Shellshock/Bash discovery. “While the known systems (like your Web server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: Six months later, hundreds of thousands of systems remain vulnerable.”
So what's to be done? Shellshock is more of a threat than the Heartbleed bug because of its size and the way it infiltrates websites. But even as the U.S. Department of Homeland Security issues a warning about the vulnerability, the onus largely lies on people who create and maintain websites to patch their computer systems.
That process could take a decade, experts have warned, simply because of Unix’s popularity. Ars Technica reported the vulnerability could also impact Mac OS C Mavericks (version 10.9.4).
“Years from now we’ll keep finding yet another device that’s still not been patched,” Graham told the Independent, while being careful to add later, “Of the top 10 ways hackers will hack computers this year, this won’t make the list.”
Red Hat, the open-source software company that discovered Shellshock, said in its announcement the Bash flaw has been present for 10 years. While there has yet to be a rash of administrators upset about losing data through this channel, that doesn’t decrease the seriousness for Unix systems containing sensitive data. Todd Beardsley, an engineering manager at the cybersecurity company Rapid7, told Reuters the bug was rated as a “10” for severity, and had a “low” exploitation difficulty.
“Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera,” he said. “Anybody with systems using Bash needs to deploy the patch immediately.”