Shellshock: Bash bug 'bigger than Heartbleed' could undermine security of millions of websites – and there's nothing you can do to protect yourself

There's nothing you can do about it either - it's up to the experts to fix it

James Vincent
Friday 26 September 2014 12:52 BST
Comments

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A security flaw discovered in one of the most fundamental interfaces powering the internet has been described by researchers as ‘bigger than Heartbleed', the computer bug that affected nearly every computer user earlier this year.

The 'Bash bug', also known as Shellshock, is located in the command-line shell used in many Linux and Unix operating systems, leaving websites and devices power by these operating systems open to attack.

Like Heartbleed, Shellshock is a pervasive flaw that security researchers say will take years to fix properly. The responsibility to do so however rests with webmasters and systems administrators – rather than average users.

Security firm Rapid7 has rated the bug as 10 out of 10 for its severity, but "low" for complexity - with hackers able to exploit it using just three lines of code.

However, unlike Heartbleed, Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.

Robert Graham, a security expert and CEO of Errata Security told The Independent: “It's really important that people who maintain websites make sure their computers are patched as quickly as they can. Hackers are already going to all websites and trying out this bug.”

Mr Graham added that as Shellshock affects “a common bit of code that is used all over the place” it will take a long time for experts to fix all affected systems. “Years from now we’ll keep finding yet another device that’s still not been patched,” he said.

The severity of Shellshock has been recognized by even the US government, with the US Department of Homeland Security releasing a warning about the bug and providing patches to fix affected servers.

Despite this, security experts have said that the affect of Shellshock will be minimal. “Of the top 10 ways hackers will hack computers this year, this won't make the list,” said Graham.

The bug itself was first identified by a security team at Red Hat, an American company that provides open-source software and has sponsored initiatives including the Fedora Project and the software for the One Laptop per Child initiative.

It's been estimated that the bug has been present for at least a decade and most likely longer. Writing about the flaw on his blog, security researcher Michal Zalewski commented that it wasn't unusual for Shellshock to have gone unnoticed for so long:

"My take is that it's a very unusual bug in a very obscure feature of a program that researchers don't really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on."

Q&A: The shellshock bug

Q. What is Shellshock?

A. Shellshock is a mistake in the code of a program called Bash, which is typically installed on non-Windows operating systems such as Mac, Unix and Linux. The bug allows hackers to send commands to a computer without having admin status, letting them plant malicious software within systems.

Q. Could it be used to steal my financial details?

A. Yes. If banks or online retailers use older, “mainframe”-style computing systems, they are likely vulnerable. Home routers and modems could also be targeted as a way to get to PCs and laptops.

Q. Are there any indications it has already been exploited?

A. It’s too early to tell. However, authorities fear a deluge of attacks could soon emerge. The US government has rated the security flaw 10 out of 10 for severity.

Q. What can be done to solve it?

A. Security experts around the world are now rushing to find a fix for the bug, but the widespread and varied use of Bash means there won’t be a single solution. Individual organisations and companies such as Apple will develop patches for their own systems.

Q. What can I do to protect against it?

A. Experts recommend not using credit cards or disclosing personal information online for the next few days. Usual precautions are also recommended such as updating anti-virus software and not visiting dodgy websites.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in