The Heartbleed bug from earlier this year was billed as the single biggest security vulnerability in Internet history. That is no longer the case. As of Wednesday night there’s a new bug in town, which Errata Security’s Robert Graham describes as “bigger” than Heartbleed. It is called the “Bash bug,” but you might also see it called the “Shellshock bug.” The whole mess is very complicated. But here’s what you should know about it.
Why is it called the Bash bug?
Bash is an acronym for “Bourne-Again Shell,” which is the tool used to run line commands in operating systems like Unix, Linux, and derivatives like Mac OS. In other words: It’s everywhere. Think of the shell as the interface where commands are entered–like, say, “turn off” or “turn on.”
In this case, the security vulnerability leaves the door open for all kinds of attacks when extra lines are added to the bash code, allowing hackers to potentially execute scripts over the Internet. It looks like this:
How bad is it?
The National Vulnerability Database gives it a “10 out of 10.” So: It’s pretty bad!
While Heartbleed affected about half a million websites, the Bash bug’s reach is so enormous that it is impossible to quantify. Part of that is because it’s very, very easy to execute an attack, notes Microsoft software architect Troy Hunt. As Hunt writes on his blog: “[P]erhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts.” Thus, it is impossible to know if or how many people are actually using the loophole.
What does it do?
The exploit is so far-reaching that someone could theoretically hack into many of the “smart” devices in your home, as most of them use bash scripts to run commands. This includes everything from light bulbs to routers to cameras to (of course) your computer. It also affects bash versions stretching back at least 25 years, meaning, when or if a patch rolls out, there are a number of older electronics that won’t be getting a firmware update. (Like, say, your dusty old router behind your couch.)
“Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts,” writes Graham. “Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.”
Who discovered it?
It was uncovered by the security team at Red Hat, which has already released patches for the Bash bug. (You can read the blog post here, but the website has been intermittently down all morning.)
On Wednesday afternoon, Ars Technica found that Mac OS X 10.9.4 “Mavericks” was vulnerable. But it looks like Apple quietly patched the whole without telling anyone.
Can I do anything about it?
Obviously it will be an enormous headache, but patch the software for all your stuff as soon an update becomes available. (If they become available.) You can assess if you are vulnerable to the remote exploit by running the test issued here.
That said, patching software will be easier said than done considering what kinds of systems might be most susceptible. “Financial institutions, hospitals, the sort of change-averse and risk-averse organizations that put [these tools] in place 10 or 15 years ago are going to find that their most venerable systems are also their most vulnerable,” Patrick Thomas, a security consultant at Neohapsis Labs, tells Fast Company in an email. “And embedded systems, like home automation, routers, and webcams are all essentially lightweight shell scripts providing a web interface over CGI; tons of them are going to be vulnerable and, even worse, embedded systems are notorious for being difficult to patch.”
Adds Thomas, “Who’s going to think to install software updates on their smart refrigerator or webcam?”