If Heartbleed was bad, then Shellshock is potentially devastating. Online security experts are sounding the alarm about the gaping security hole left open by the Bash shell, a piece of software found in millions of machines running on Linux, UNIX and Mac OS X worldwide.
Experts have labeled Shellshock, also known as the Bash bug, as "worse than Heartbleed," and in many respects, it is. Robert Graham, security analyst at Errata Security, says that an "enormous amount of software" interacts with the Bourne Again Shell, aka Bash, in one way or another. Bash is the command shell, or the software that allows users to issue commands to the operating system, used in Linux, Unix and OS X. Windows machines normally do not run Bash, unless the user runs a program such as Cygwin, Git or remote desktop applications.
"It's worse than Heartbleed in that it affects servers that help manage huge volumes of Internet traffic," says Darien Kindlund, director of threat research at security firm FireEye. "Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting web pages."
It is not just web servers and computers that could be affected, though. Graham says Shellshock can potentially threaten Internet of Things devices, such as video cameras, routers and smart home appliances. The problem could be even more serious for users who have older models of these devices, as they could no longer be supported by their manufacturers and may not be compatible with security updates.
The National Institute of Standards and Technology has rated Shellshock a 10 out of 10 in terms of severity, and says that the bug is easy to exploit even for amateur hackers.
In fact, hackers have already been found to be exploiting the vulnerability in Bash. Security management services firm AlienVault ran a honeypot server looking for attackers and discovered that several machines were already taking advantage of Bash to spread worms, or malicious code that can spread from one vulnerable machine to the next with the potential to reach pandemic proportions if left unchecked.
Chris Wysopal of Veracode cybersecurity firm has also discovered hackers taking advantage of Shellshock to launch distributed denial of service attacks with the use of IRC bots, a discovery confirmed by Kaspersky Labs.
This isn't the only thing online miscreants can do with Shellshock, though. While Heartbleed laid open millions of passwords and other private user information for the stealing, Shellshock allows attackers to take full control of a remote device.
"Bash enables hackers to execute commands to take over your servers and systems," says Kasper Lingard, research head at information security firm Secunia. "We have only seen the tip of the iceberg so far, and only the most obvious attack vectors."
Fortunately, there is a silver lining to all this and, no, the Internet is not going to collapse. GNU, the open source project that develops Bash, has already released a patch to the security hole, while major Linux vendors such as Red Hat, Debian and Suse have also released their own patches. Apple has yet to release an OS X patch but says that "OS X systems are safe by default and not exposed to remote exploits of bash unless users configure UNIX services." Apple is nonetheless working on an OS X update. This thread on the Stack Exchange forum, however, discusses an unofficial fix for Bash on OS X.
Patches released have since been found to be incomplete, but users and web administrators with systems found to be vulnerable are encouraged to use the patches as they are effective in blocking out the attacks already launched. As for IoT devices, experts recommend users to update their firmware, unless they are using older, unsupported models. In that case, users should refrain from connecting these devices to the Internet to prevent hackers from accessing them.
