Worse than Heartbleed: ‘Shellshock’ Bash bug threatens millions of computer systems worldwide

Worse than Heartbleed: ‘Shellshock’ Bash bug threatens millions of computer systems worldwide
A vulnerability has been discovered within the widely used Bash software included on Linux and Mac operating systems, raising concerns about an exploit that some experts say stands to be more damaging than the Heartbleed bug identified earlier this year.

Researchers revealed on Wednesday this week that a bug has been spotted in Bash — a command-line shell developed in the 1980s and common to Linux and Unix systems — the likes of which may allow attackers to target computers and, if successful, run malicious codes that could let them take control of entire servers pertaining to potentially millions of machines.

But while the so-called Heartbleed bug found in April allowed hackers to spy on vulnerable systems due to a previously undiscovered flaw in the open-source encryption software called OpenSSL, security experts say already that the Bash exploit — being referred to as “Shellshock”— is more severe because exploiting it could allow attackers to seize systems that are vulnerable by running unauthorized code that, in a worst case scenario, gives them full privileges on the plundered machine.

"The method of exploiting this issue is also far simpler,” Dan Guido, the chief executive of a cybersecurity firm Trail of Bits, told Reuters on Wednesday this week of the differences. “You can just cut and paste a line of code and get good results.”

After discovery of Shellshock was identified by researcher Stephane Schazelas on Wednesday, the United States Computer Emergency Readiness Team, or US-CERT, acknowledged the severity of the issue by releasing a statement warning that “exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”

Heartbleed logo

In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run,” security company Symantec said in a warning on Thursday.

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, added to Reuters. "Anybody with systems using Bash needs to deploy the patch immediately."

On the government’s official CERT website, a statement tells visitors to read a Wednesday blog post on the website of security company Red Hat where researchers said patching the exploit was a “critical priority” and, given the “pervasive use of the Bash shell,” should be acknowledged by everyone as a serious vulnerability. Separately, the National Vulnerability Database — a group sponsored by the US Department of Homeland Security, CERT and the National Institute of Standards and Technology — gave the bug a rating of “10” in terms of severity, its highest.

Among those who say Shellshock poses a bigger risk than Heartbleed is Robert Graham, a computer expert and co-founder of Errata Security, who tweeted this week that “enough systems are vulnerable for this to be a real concern.”

“Luckily, since bash is open-source, this bug was quickly found before it became widely deployed,” Graham tweeted, but with the caveat: “This ‘bash’ bug is probably a bigger deal than Heartbleed.”

Indeed, a preliminary scan conducted by Graham this week discovered no fewer than 3,000 vulnerable systems. “Consequently,” he wrote, “…this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks.”

Patches have since been released that are intended to prevent attacks from exploiting the Bash bug, but the Red Hat security blog said on Thursday that attempts to fix the glitch have so far been incomplete.