Back in April, computer users around the world had to deal with the Heartbleed bug, a severe exploit that made computers vulnerable through the crytography library Open SSL which may have exposed security keys for up to 66% of websites ranging from e-commerce to social media to blogs. While that has now been patched, a new exploit is starting to rear its ugly head – and it affects the ubiquitous Unix command shell package, Bash.
A security team at software developer Red Hat discovered the exploit which affects Linux and Mac OS X users, through which if the shell is accessed through the right channels, a hacker can insert executable code into other parts of the software. As a result, despite the desire of researchers not to overplay the problem, it’s been nicknamed “shellshock”.
Errata Security’s analyst Robert David Graham said that Bash exploit could be much bigger than the Heartbleed bug from April.
“The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug,” he wrote in a blog post.
The US’ Computer Emergency Readiness Team said that they are aware of the current bug, and advised users who think that they might be vulnerable to attack to patch their systems as quickly as possible.
“US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. US-CERT recommends users and administrators review the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch.”
But even if you don’t run Mac OS X, you should still feel a bit vulnerable about Bash, as Graham adds that Internet of Things units like video cameras are highly susceptible to hacking, as they make use of software built around web-enabled bash scripts.
“Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world. Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”[Image – CC by 2.0/Alexandre Dulaunoy]