TORONTO – Security experts are once again warning users about a newly discovered security flaw that could pose a serious threat to computers and other devices using Unix-based operating systems such as Linux and Mac OS X.
The security flaw has been referred to as both the “Bash” bug – after the piece of software that runs the command prompt on Unix computers and Linux servers – and the “Shellshock” bug.
Many have warned that this bug could be much worse than the Heartbleed bug, which caused major security headaches in April, despite the fact many experts called Heartbleed the “biggest security vulnerability in the history of the Internet.”
What is the vulnerability?
Devices use Bash to execute “shell” commands. A shell is a program that translates your commands into something the device’s operating system can understand.
When a command is received, the shell needs to check information separate from that command – like what software is running – to do its job. But Shellshock allows attackers to add malicious information into that process.
“When one computer wants another computer to do something it sends an order saying ‘Do this for me’ but, for security reasons, the computer doing the task uses its own tools,” explained David Skillicorn, professor at the school of computing at Queens University.
“The problem with this vulnerability is it sends the computer a tool and says ‘here use this instead’.”
What devices are affected?
Any device using Unix-based operating systems such as Linux and Mac OS X are affected by Shellshock.
What makes this vulnerability more dangerous than Heartbleed is the number of hackers could potentially attack. Everything from servers and routers, to kitchen appliances, cable and Wi-Fi modems, car computers and tech gadgets run Linux.
What could happen?
According to Skillicorn, attackers could use this to download malware onto people’s devices, use them as botnets (a network of computers infected with malicious software and controlled without the users knowledge), or even delete information from people’s computers.
Hackers could gain full control of a user’s computer by exploiting the bug – opening the possibility for attackers to encrypt the users’ information and hold it until a ransom is paid, a commonly used technique by hackers.
Skillicorn added this could also happen on a larger scale.
“You could hold cable companies to ransom by saying, ‘If you don’t pay us $2 million we will turn off all of your cable boxes’,” he said.
“The potential to be nasty is quite big.”
How does it compare to Heartbleed?
The Heartbleed bug exploited a key piece of security technology used by hundreds of thousands of websites. For more than two years before it was discovered, the flaw exposed passwords and other sensitive data to hackers who could steal that information.
The reason the Shellshock bug could be worse than Heartbleed is because it gives the attacker a bigger advantage than Heartbleed did.
With Heartbleed, attackers could get an information leak. But Shellshock allows an attacker to take control of the device. The bug is rated a maximum 10 out of 10 for its impact and ease of exploitability by the Common Vulnerability Scoring System, an industry standard for assessing how bad security flaws are.
What can the average user do to protect themselves?
Unfortunately, there isn’t a lot the average user can do to protect themselves from Shellshock.
One of the biggest affected consumer user groups will be Mac users, because Bash is the default Shell in Mac OS X. At time of publishing, Apple had not yet released a fix for its devices – but Mac users should keep an eye out and install any security updates as they become available.
Anti-virus software cannot prevent attacks by Shellshock, but it’s still a good option for users to protect their devices from malware. Some anti-virus software can even alert the user to intrusions.
But Skillicorn added that people should “be careful about how they panic,” adding that malicious users will take advantage of the fear surrounding the bug to issue phishing scams.
The same thing happened after the Heartbleed bug – many users reported receiving malicious emails that read, “Click here to find out if your account was affected,” only to have their information stolen.