Independent
California
A security flaw discovered in one of the most fundamental interfaces powering the internet has been described by researchers as ‘bigger than Heartbleed’, the computer bug that affected nearly every computer user earlier this year.
The ‘Bash bug’, also known as Shellshock, is located in the command-line shell used in many Linux and Unix operating systems, leaving websites and devices power by these operating systems open to attack.
Like Heartbleed, Shellshock is a pervasive flaw that security researchers say will take years to fix properly. The responsibility to do so however rests with webmasters and systems administrators – rather than average users.
Security firm Rapid7 has rated the bug as 10 out of 10 for its severity, but “low” for complexity - with hackers able to exploit it using just three lines of code. However, unlike Heartbleed, Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.
If Heartbleed’s effect on users was akin to unlocking everyone’s front door simultaneously, sending people scrambling back home to turn the key (ie change their passwords) then Shellshock is like giving thieves a new type of crowbar to break in to houses with - they’re just as likely to use older methods, but it’s still a blow for general security. Security researchers are especially worried about its potential - but as yet unknown - effect on Apple Mac computers.
, which uses the Bash software which the bug exploits directly in the form of its command-line program Terminal.
Robert Graham, a security expert and CEO of Errata Securitytold The Independent: “It’s really important that people who maintain websites make sure their computers are patched as quickly as they can. Hackers are already going to all websites and trying out this bug.”
Mr Graham added that as Shellshock affects “a common bit of code that is used all over the place” it will take a long time for experts to fix all affected systems. “Years from now we’ll keep finding yet another device that’s still not been patched,” he said.
The severity of Shellshock has been recognized by even the US government, with the US Department of Homeland Security releasing a warning about the bug and providing patches to fix affected servers.
Despite this, security experts have said that the affect of Shellshock will be minimal. “Of the top 10 ways hackers will hack computers this year, this won’t make the list,” said Graham.
The bug itself was first identified by a security team at Red Hat, an American company that provides open-source software and has sponsored initiatives including the Fedora Project and the software for the One Laptop per Child initiative.
It’s been estimated that the bug has been present for at least a decade and most likely longer. Writing about the flaw on his blog, security researcher Michal Zalewski commented that it wasn’t unusual for Shellshock to have gone unnoticed for so long:
“My take is that it’s a very unusual bug in a very obscure feature of a program that researchers don’t really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on.”