What's the Deal With This Shell Shock Bug, Anyway?

A new and widespread bug in Bash is being compared to Heartbleed.

Sep 25 2014, 1:30pm

A new computer security vulnerability is shaking the world's devices, and has the potential to disrupt countless systems, from government websites to ordinary users' computers. Dubbed "Shell Shock," some security experts are describing it as equal to or worse than the infamous Heartbleed bug.

Shell Shock is a bug in Bash, which is shorthand for the GNU Borne Again Shell (this is where the name comes from). Bash is the command-line shell used in a wide array of different Linux and Unix operating systems. Ars Technica also found a separate vulnerability in Mac OS X Mavericks. 

Bash is also used by some web servers, meaning that individual websites could be affected. Security expert Kenn White tweeted yesterday "Holy cow there are a lot of .mil and .gov sites that are going to get owned by [this]."

In short, the bug works if Bash has been set as the default system shell, and given the popularity of Linux and Unix, that's a broad target. Robert McMillan at Wired explains that hackers who wish to take advantage of it can connect to a vulnerable system remotely, and then just have to execute about three lines of simple code in order to gain access. 

Because it's so easy to exploit, security experts already envision that entrepreneurial hackers will create a 'worm'—a self-spreading piece of malicious software—in order to jump from system to system. "People are already exploiting it in the wild manually, so a worm is a natural outgrowth of that," Ryan Lackey, a security engineer from Cloudflare, told Wired.

Discovered by Stephane Chazelas last week but only made public yesterday, the bug may have actually been around for decades.

The National Vulnerability Database, which catalogues known security issues and which is sponsored by the US Department of Homeland Security, has ranked the impact of the bug at the maximum score of 10. They also measured its exploit ability—how effectively the bug can be used to gain access to systems—at 10.

In a blog post from cloud computing company Akamai, Andy Ellis wrote that there are several different ways to mitigate the harm from Shell Shock. The most urgent is to upgrade to a new version of Bash, while others include using an alternative shell altogether, or avoiding accessing vulnerable services—an approach that is probably easier said than done, considering the ubiquity of affected systems.

The number of systems needing to be patched, but which won't be, is much larger than Heartbleed

Comparisons are being drawn with the Heartbleed bug, which was announced in April. Heartbleed originated from the super-popular web cryptography OpenSSL, which is used in an incalculable number of websites and software packages. It allowed anyone with knowledge of the vulnerability to listen in on encrypted websites, and learn a user's passwords and other sensitive data. Security researchers were incredibly worried when that bug was revealed, urging everyone to change their passwords and other settings.

According to a number of researchers, Shell Shock is on the same level. "Today's bash bug is as big a deal as Heartbleed," researcher Robert Graham wrote on his blog. Graham goes on to explain why, including the fact that the bug interacts with other software in unexpected ways, and that many services will continue to remain unpatched in the future. 

While larger systems such as web servers will likely get fixed in a reasonable amount of time, other, smaller devices may be ignored. Graham gives the example of an internet-enabled web camera, and points out that even six months after Heartbleed, "hundreds of thousands of systems remain vulnerable."

And, he says, Shell Shock could actually have even more impact than Heartbleed. "Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed," he wrote

That's not to say that all of your devices are going to get hacked in the next few days, but because not all of the systems affected will be patched, a hacker may use Shell Shock to get at something sensitive in the future.

So update your systems if necessary, and then hope that any services you use that are vulnerable to it—cloud storage, for example—update theirs as soon as possible too. Even then, it seems unlikely that this is the last we'll hear of Shell Shock.