Why the Shellshock Bash Bug Could be Even Worse Than Heartbleed

By Mario Aguilar on at

Shellshock is newly discovered vulnerability in software that's in computer systems we use everyday. It's kind of like Heartbleed, the Open/SSL bug that scared everyone senseless a few months ago and remains unpatched on thousands of systems. According to some experts, however, Shellshock could be way worse, and it's been around for decades.

Shellshock affects a piece of software called Bash. Bash is a "Unix Shell," a command line interface that allows a user to talk to a Unix based system. Originally written in 1980, Bash has evolved from a simple command line interface into one of the most widely used utilities out there. Even though you probably don't see Bash daily, there's a good chance that it's running in the background on your system. OS X and Linux both use Bash, and it has been ported over to everything from Windows to Android.

Discovered by a team from the open source software company Red Hat, the Shellshock bug allows attackers to inject their own code into Bash using specially crafted "environmental variables" that have Bash functions in them. (Red Hat's servers were having problems, here's a cached version of their explainer.)

Without diving into all the technical nitty-gritty—some of which you can find here—what you need to know is that the bug leaves unpatched systems open to a variety of malicious and remote attacks. Bash is commonly used by web servers, so in theory it could be used to take over entire websites. Internet connected devices like web cams are similarly vulnerable. But worst of all, since there's a decent chance your computer is running Linux in the background, an attacker on your network could use the bug to extract personal information from your machine.

But the main reason people are comparing Shellshock to Heartbleed is that the distribution of the bug is unknowably vast. Bash is baked into so many systems and has been around for so long that in all likelihood, the bug will never be fully fixed. This is vulnerable software that has been spreading across the technological world for years and years.

Security researcher Robert Graham puts the concern pretty succinctly:

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

In the short term the most obviously affected systems will be fixed. Others, unfortunately, will remain vulnerable, and as Troy Hunt points out in his lengthy technical explainer:

The bigger worry is the devices with no easy patching path, for example your router. Short of checking in with the manufacturer's website for updated firmware, this is going to be a really hard nut to crack. Often routers provided by ISPs are locked down so that consumers aren't randomly changing either config or firmware and there's not always a remote upgrade path they can trigger either. Combine that with the massive array of devices and ages that are out there and this could be particularly tricky. Of course it's also not the sort of thing your average consumer is going to be comfortable doing themselves either.

As for what you need to do. Watch out for important security updates to OS X, which are surely around the corner. And though you probably never update firmware on stuff like your router, it's not a bad idea to do that from now on. [Red Hat]