The world of server exploits has always been a murky one, mired in cryptic language and confusing scenarios. Barely does news from this dark side of the computing world get any kind of mainstream coverage.
Then, a few months ago, the HeartBleed bug was revealed. The critical vulnerability, which had been dormant in the OpenSSL software for a long time, made headlines with its severity and threatening potential, as security experts and popular sites scrambled to secure their servers and assure their users that their information was A-OK.
Related: How to Squish the Heartbleed Bug and Keep Your Info Safe
Now another exploit, going by the name Shellshock, looks to pose a similar threat to machines worldwide. The impact looks to be even greater than Heartbleed’s: Where Heartbleed only affected some 500,000 machines in total, conservative estimates place Shellshock’s influence at over 500 million compromised machines.
The main problem is the location of the vulnerability – a small piece of software called Bash, which stands for Bourne-Again SHell. Bash is a fundamental element of many Unix-based operating systems – including many Linux distributions and Mac OSX. It’s the terminal where commands that are issued for controlling the system – installing software, monitoring networks, and executing code – are run.
If you’re on a Windows box, you’re not out of the woods, either. The servers of most sites that you visit run on Apache, which, as you’ve probably guessed by now, also uses Bash.
This means that a malicious hacker armed with the Shellshock code (a tiny exploit at just three lines) can execute his own malicious code on any vulnerable system. The full extent of this potential vulnerability is yet to be seen, but in theory could allow a hacker unfettered access to any data on the system – including passwords, personal files, and other sensitive information.
Related: Porn, Drugs, Hitmen, Hackers: This Is the Deep Web
“Whereas something like Heartbleed was all about sniffing what was going on, this [is] about giving you direct access to the system,” security researcher Prof Alan Woodward told the BBC.
Luckily, the vulnerability is easily fixed: Several patches were released this morning that claim to eliminate the vulnerability. Yet as with Heartbleed, it may take awhile for IT administrators to actually apply these fixes. Meanwhile, many news outlets are reporting that hackers are starting to use the vulnerability for malicious purposes, with concern rising about the potential development of a worm that jumps from one vulnerable system to the next, executing code wherever it can.
The main difficulty in patching this Bash bug is the sheer widespread nature of it, from the highest point in a piece of system architecture all the way down to a WiFi-enabled toaster.
Related: The Internet Scam That Hijacks Your Hard Drive
This is a growing concern for the end user as we rocket towards the oft-quoted Internet of Things, with our entire livelihoods based on our personal networks of Wi-Fi enabled devices. As software architect Troy Hunt says in his excellent primer to the exploit, many household items that have been adapted for the Internet of Things are running Bash. This vulnerability even extends to home routers, which also often have Bash shells.
So what’s a poor user to do until this whole thing dies down? Unfortunately, not a lot, short of hunkering down and waiting for fixes to materialize.
As Hunt tellingly reiterates: “Watch for security updates, particularly on OS X. Also keep an eye on any advice you may get from your ISP or other providers of devices you have that run embedded software. Do be cautious of emails requesting information or instructing you to run software – events like this are often followed by phishing attacks that capitalize on consumers’ fears.”
Top Reads from The Fiscal Times:
