Forget Heartbleed, Is There Anything We Can Do to Save Ourselves from the Shellshock Bug?
In April, computer users held their breath as a security vulnerability, dubbed Heartbleed, affected more than 300,000 web and email servers worldwide. The flaw, which took months for developers to patch, allowed hackers to steal the cryptographic keys that are used in online commerce and web connections, potentially exposing the personal and financial information of countless Internet users.
Bloomberg News even reported that the NSA quietly knew about Heartbleed for some time and may have used it to spy on people and steal their passwords. Some cybersecurity experts say that the bug reached virtually every computer connected to the Internet.
Now a new flaw has emerged that might make Heartbleed seem like child’s play. The bug, called Shellshock, is found in the command-line structure of Unix and Linux operating systems — including most web servers, Apple devices, and mobile phones — and can be exploited easily by hackers. And according to security experts, the bug is exceptional in its severity and may take years to patch, reports the UK Independent.
Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.
If Heartbleed's effect on users was akin to unlocking everyone's front door simultaneously, sending people scrambling back home to turn the key (i.e., change their passwords) then Shellshock is like giving thieves a new type of crowbar to break in to houses with—they're just as likely to use older methods, but it's still a blow for general security. Security researchers are especially worried about its potential— but as yet unknown—effect on Apple Mac computers, which uses the Bash software which the bug exploits directly in the form of its command-line program Terminal.
Shellshock is a flaw found in the code of a Unix program called Bash, which is found on many non-Windows computing devices that run Mac, Unix and Linux operating systems. This flaw can be exploited with just three lines of code by hackers, which gives them administration status on a computer, allowing them to plant malicious software on it that can take control of the computer.
The federal government’s National Vulnerability Database, which tracks computing security, gave Shellshock a 10 out of 10 in terms of its possible impact and exploitability.
And even if you don’t have an Apple, Unix, or Linux operating system, you may be at risk. A majority of the world’s busiest web servers, including those that hold personal and financial information, use either a Linux or Unix operating system that uses Bash, making them vulnerable to Shellshock. This means that much of the information stored on those servers can be exposed by hackers.
All in all, experts say that more than a half billion Internet-connected devices, which include web servers, computers, cellphones, security cameras, routers, and medical devices can potentially be accessed through the Shellshock bug.
Despite the dire warnings from security experts, Apple Computer is claiming that most of its consumers are safe from Shellshock. The computing company also says that it will be releasing a software patch soon. Only those that use advanced Unix services, like programmers and developers are at risk.