Why getting a Shellshock may just be worse than suffering a Heartbleed

Security experts say the Shellshock security flaw discovered Thursday could allow hackers to control millions of computers and the hacking impact may be felt for years.

Shellshock, also known as "the bash bug," could enable up to half of the web servers in the world to be vulnerable.

"You can take control of the system and do virtually anything from there. You can steal information from people. You can display different information to people. You can steal passwords," said Josh Bressers, manager of the security response team at Red Hat. "The imagination of the bad guys is the limit."

According to Stephane Chazelas, who first discovered Shellshock, the flaw has been around for over 20 years. He said it is difficult to determine just how devastating the bug could be as different hackers can exploit it for different reasons. Despite this, it appears the bug has yet to be abused.

The bug has been traced to an open-source software called Bash, which stands for Bourne Again Shell. Unfortunately, since Bash was originally created in 1987, it has been used in many popular operating systems. In fact, it is estimated the software can be found on at least half of all devices that connect to the Internet.

"It's worse than Heartbleed in that it affects servers that help manage huge volumes of Internet traffic," said Darien Kindlund from FireEye in a blog post. "Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting web pages."

Because of the bug's relation to the Internet, it puts the "Internet of Things" in a very difficult and vulnerable position. Many devices are starting to be built to connect to the Internet so they can share data. For example, some fridges can connect to the Internet and let users create grocery lists directly on the fridge. However it also means the software on such devices must be updated to avoid potential hacking.

"I'll bet that Internet-connected toothbrush is running on Linux. How do you patch your toothbrush?" said Christopher Budd, a global threat communications manager at Trend Micro.

It is expected that many such devices may not get a patch because of the difficulty in updating , meaning that the potential negative tjhreat from Shellshock may be in play for years.

Despite the concerns it seems as though most consumers are safe from attacks, at least in the meantime. It is really up to software developers and network administrators to ensure software updates are protected against the bug in the future.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics