Bash bug aka 'Shellshock' hurts OS X, Linux, UNIX and more: Worse than Heartbleed but quickly patched

Security experts have unearthed a new vulnerability in a piece of software used in the open-source Linux operating system and other UNIX-based platforms, and they believe it poses an even bigger threat than Heartbleed.

Open source software firm Red Hat released a public service announcement on its website describing CVE-2014-6271, otherwise known as Shellshock, as potentially "catastrophic." The vulnerability is found in the system's Bash shell, a command prompt software that serves as a middleman to translate commands from the user to the operating system.

Red Hat says hackers can exploit this vulnerability in the Bash shell to incorporate malicious code into a user's system while bypassing the computer's default security measures to execute codes that allows hackers to access confidential information, take over a user's computer and a variety of other cyber-attacks.

"An attacker could use this feature to override or bypass restrictions to the environment to execute shell commands before restrictions have been applied," says Red Hat. "Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue."

Red Hat describes the severity of Shellshock as "urgent," and another cybersecurity engineer, Tod Beardsley of Rapid7, gives the bug a 10 in terms of severity, which means it is expected to have maximum impact on all users with a device running on a UNIX-based operating system, including Linux and Apple's Mac OS X. These devices are not limited to computers, though, as Linux platforms are found everywhere, from calculators to smart slow cookers.

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," Beardsley said. "Anybody with systems using Bash needs to deploy the patch immediately

Security experts believe that Shellshock is "as big a deal as Heartbleed" because of the widespread use of Bash across devices. Earlier this year, vulnerability was discovered in OpenSSL, an open-source code library that is used by thousands of websites, including high-profile sites such as Yahoo, Reddit and Amazon Web Services, to secure their sites. The bug was said to have made these sites open to attacks for at least two years and is still being cleaned up until now.

Shellshock on the other hand, has been around far longer than that. In fact, Robert Graham, CEO of Errata Security, believes that the bug could have been around since 1977, when Bourne, the precursor of Bash, was first used.

"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time," writes Graham in a blog post. "That means there are lots of old devices on the network vulnerable to this bug."

The US Computer Emergency Readiness Team (US-CERT) recommends that all users of computers running on Linux, OS X and other affected platforms update their operating systems once their providers release a patch. Red Hat has already released one, but Apple has yet to come out with its own fix, although OS X users can use this temporary patch posted on the Stack Exchange forums. Chet Ramey, official maintainer of the Bash shell, has also released a patch for Bash 3.0 through 4.3.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics