Shellshock: 'Extremely serious' bug could pose greater risk than Heartbleed
Published Thursday, September 25, 2014 11:10AM EDT Last Updated Thursday, September 25, 2014 5:08PM EDT
Cyber-security experts have found an “extremely serious” bug that may pose an even greater risk than the recent Heartbleed bug, and could affect hundreds of millions of computers worldwide.
The bug affects a piece of software called Bash, short for Bourne-Again Shell, which is part of the Unix operating system upon which many other OS are built, including Linux and Mac OS.
The vulnerability, which some experts have dubbed “Shellshock,” has been given the highest score of 10 on the Common Vulnerability Scoring System, or CVSS, an industry standard for assessing the severity of bugs.
The bug is more serious than Heartbleed because it can allow a hacker to take complete control of any operating system that uses Bash, essentially putting hundreds of millions of computers at risk.
However, some cyber-security experts say Shellshock is harder to exploit.
“The vulnerability looks pretty awful at first glance, but most systems with Bash installed will not be remotely exploitable as a result of this issue,” Jen Ellis of cyber security firm Rapid7 wrote on the company’s blog.
But Josh Bressers, manager of cyber security firm Red Hat, said the bug is simple to use and “every version of Bash is vulnerable.
“It’s extremely serious, but you need very specific conditions in place where a remote user would be able to set that environment variable,” Bressers told threatpost.com. “Thankfully, it’s not common.”
A patch exists for the bug, and system administrators are being warned to deploy it immediately.
The United States Computer Emergency Readiness Team, or US-CERT, issued a warning about the bug on Wednesday with links to the patch.
Rapid7 notes that “the patched version may still be exploitable” and experts are tracking the patch.
The new bug is leading to comparisons to the Heartbleed bug, which affected hundreds of thousands of computers around the world back in April. In Canada, the bug spurred the Canada Revenue Agency to shut down its online tax filing system after hundreds of social insurance numbers were compromised.