Shellshock Could be a Bigger Threat Than the Heartbleed Bug

Back in April, the Internet was reeling from the threat of Heartbleed, a bug that targeted OpenSSL encryption and stole up to 64kb of data at a time. Millions of users and companies were affected by the bug, and 40 percent of Internet users actively changed their passwords when news of the vulnerability broke. Today, there’s a new threat. Shellshock, a Bash Bug, is leaving Mac users, and Linux, Ubuntu, and other systems vulnerable to attack.

What is a Bash Bug?

A computer’s shell is a way for the user to send requests or communicate with a computer, and bash is actually an acronym for “Bourne Again Shell,” named after Stephen Bourne’s shell code. It’s a basic shell with a couple programs that assist in compatibility. When there’s a vulnerability, hackers add additional code into the shell and can make it do whatever they want.

One common metaphor used to describe this vulnerability is leaving your door unlocked. Someone can easily open it and do whatever they want to your house. Another comparison used by bloggers and the media is having a hole in your shoe. Water, dirt, and gravel can all slip through and damage your foot.

This Flaw Isn’t New

The reason bloggers are using the metaphor of leaving your door unlocked is because this vulnerability has been lurking in the shadows for years. Unfortunately, the recent reveal of the bug and subsequent media coverage are bringing it to the attention of hackers everywhere. Continuing the metaphor, it’s as if a group of criminals just discovered a whole neighborhood that never locks its doors.

Everyone is watching to find examples of Shellshock attacks “in the wild,” or for the purpose of exploiting systems instead of testing for vulnerabilities. ZDNet already reported finding malware that launched Distributed Denial of Service (DDoS) attacks on software and ran common passwords and logins (admin, password, 12345, etc.) in an attempt to hack and steal data.

Who Will Be Affected by Shellshock

For years, Mac users have believed the (busted) myth that their systems will never get viruses and are impervious to any malware or system attacks. This bug could change all of that. Furthermore, Bash is available on any Linux system, and is a common, basic, shell that can be easily used. Several non-Windows devices could be affected.

Security researcher Robert Graham told ZDNet that preliminary vulnerability calculations might be underestimated. DHCP systems are also vulnerable, as malware can worm its way past firewalls to infect more systems. “One key question is whether Mac OS X and iPhone DHCP services are  vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks,” he said.

This is why Shellshock is such a threat to technology. It’s a common bug that can be easily exploited, and when it is, hundreds of millions of computers could be affected.

What it Means for Internet of Things

The National Institute of Standards and Technology’s National Vulnerability Database gave Shellshock a 10 out of 10 for the impact the bug could have on the Internet of Things and for its exploitability.

This bug affects more than laptops or one particular device, but rather a range of computers that are connected to the Internet. It would be one thing if only Mac and iPhone users were hurt by Shellshock, but more than half a billion devices from various brands could be accessed. Routers, medical devices, and cell phones that use UNIX-based Web servers are vulnerable. This isn’t just a Mac problem; it’s an Internet problem.

The main difference between Shellshock and Heartbleed is that this bug accesses your OS, giving total control to a hacker who exploits the bug to access your computer. It goes far deeper than stealing information.

How Long Until the Hole is Patched?

Unfortunately, creating a patch for this bug isn’t an easy proposition. Heartbleed only affected one version of OpenSSL, but this hole is found in any and all devices that use Bash. Developers can’t begin to calculate a timeframe for fixing the bug until they have an idea how many devices actually are vulnerable.

Apple announced that it was working quickly to create a Shellshock patch on its devices, and urges users not to worry. Some Linux vendors have already released patches, and Ubuntu has switched from Bash to Dash. Dash is short for Debian Almquist Shell, which is an alternative command interpreter.

What Can Users Do?

Users who aren’t familiar with bugs — much less coding and DDos attacks — are often left wondering what they can do when something like this happens. While most users have to sit and wait for a solution, there are preliminary steps that all computer owners can take to make sure their devices are secure from other types of attacks that could result from Shellshock.

First, change your passwords. If you were one of the 40 percent who changed theirs during Heartbleed six months ago, then it’s time to change them again. If your logins or passwords are easily guessed (like admin and Password123), then change it to something stronger. Hackers are already using this vulnerability to insert password-guessing malware, so change yours before your device is attacked.

Also, update your devices and software immediately. It’s tempting to click out of the window and install an update later, but different software providers will be releasing patches over the next few days. Update your computer today and keep installing as new updates arrive.

Finally, those who are tech savvy can follow instructions provided by WonderHowTo to check whether or not your device is vulnerable.

In the coming days, more information about Shellshock will arise. Some will be good as developers build patches and can determine exactly how many devices are affected. Other news will be bad as hackers beat out developers and take advantage of this vulnerability before it can be fixed. It’s up to users to protect their devices as best as they can and hope developers can fix the bug before the whole Internet of Things is affected.

Image via Flickr by Robbert van der Steeg