September 26, 2014
In 1987, programmer Brian J. Fox wrote one of the Internet’s most widely used tools. The software is named “Bash” (short for Bourne-Again Shell) and now appears in more than 70 percent of devices connected to the Internet, including computers, routers, servers and some mobile phones. Yesterday, security experts warned that Bash contains a software bug called “Shellshock” that could potentially be used to take over hundreds of millions of machines, including Mac computers and smartphones that run Android.
Experts suggest that Shellshock could prove to be a much bigger problem than the Heartbleed bug discovered last spring.
“While Heartbleed could be used to do things like steal passwords from a server, Shellshock can be used to take over the entire machine,” reports The New York Times. “And Heartbleed went unnoticed for two years and affected an estimated 500,000 machines, but Shellshock was not discovered for 22 years.”
That amount of time for going unnoticed is not unusual. Since many commercial tools are built on top of programs developed by the open source community, flaws can eventually become a part of all sorts of products. Bash was maintained by Fox for five years and then handed over to programmer Chet Ramey, who has since been maintaining the software as an unpaid hobby.
On September 12, Ramey was contacted by another open source enthusiast who had discovered the security flaw. A patch was quickly created, and the two attempted to contact major software companies without tipping any hackers.
“An official alert from the National Institute of Standards and Technology warned that the vulnerability was a 10 out of 10, in terms of its severity, impact and exploitability, but low in terms of its complexity, meaning that it could be easily used by hackers,” explains NYT.
“The Department of Homeland Security’s Computer Emergency Readiness Team, US-CERT, advised users and technology administrators to refer to their Linux or UNIX-based operating systems suppliers for an appropriate patch. For users at home, security experts advised them to stay abreast of software updates and check manufacturer websites, particularly for hardware like routers.”
According to The Wall Street Journal, Google and Amazon are busily working to address the issue: “Google has taken steps to fix the bug in both its internal servers and commercial cloud services, a person familiar with the matter said. Amazon released a bulletin Thursday that showed Amazon Web Services customers how to mitigate the problem.”
Meanwhile, hackers are reportedly already using Shellshock to launch botnet attacks. “The shellshock attacks are being used to infect thousands of machines with malware designed to make them part of a botnet of computers that obey hackers’ commands,” Wired reports. “And in at least one case the hijacked machines are already launching distributed denial of service attacks that flood victims with junk traffic, according to security researchers.”