A few months ago, a serious security issue affecting millions of websites was discovered – Heartbleed – and subsequently patched by many of them, but it looks like that wasn’t the worst security scare for Internet users this year. CNET reports that a new security vulnerability has been found, the “Bash” or “Shellshock” bug, which could be even more serious than Heartbleed because it can affect a variety of Internet-connected devices, from computers to Internet-of-Things gadgets. And apparently, this huge flaw will not be easily fixed.
The Bash bug can be used by attackers to take over an operating system and steal confidential information, and it appears the security vulnerability is at least 25 years old.
Bash affects computers regardless of operating system – including Windows, OS X, and Linux machines – but also any other devices that use Bash commands. Bash shell code is run in the background by many programs, and attackers could append malicious code to Bash to trigger certain actions on a targeted device. As a result, regular Internet users can’t really do anything but wait for systems to be patched, which appears to be a complex job.
“This vulnerability is potentially a very big deal,” security firm Rapid 7’s engineering manager Tod Beardsley told CNET. “It’s rated a 10 for severity, meaning it has maximum impact, and ‘low’ for complexity of exploitation – meaning it’s pretty easy for attackers to use it.”
Beardsley continued, “The affected software, Bash, is widely used so attackers can use this vulnerability to remotely execute a huge variety of devices and Web servers. Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes etc. Anybody with systems using bash needs to deploy the patch immediately.”
Security expert Robert Graham said that Bash is bigger than Heartbleed because the “bug interacts with other software in unexpected ways,” and because many programs interact with the shell. Bash could affect massive networks, and it’s not detected by security systems.
“Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a Bash patch. And, since most of them can’t be patched, you are likely screwed,” Graham added.