Shellshock: The Security Threat that Could be Worse than Heartbleed

Do you think that Heartbleed was the worse case of security breaches over internet? Think again. A new security flaw in Bash, a program that runs on millions of computers worldwide, has recently come to light.

Dating back to 1989, Bash is a command shell which basically tells your computer what to do. Shellshock is a vulnerability in the Bash software and it can allow any malicious entity to run commands and install programs on your device. It can also allow an attacker to take over your system and access private information and make changes.

It’s exactly as bad as it sounds. Security flaws are assessed on a Common Vulnerability Scoring System which is an industry standard. Heartbleed, which was present in OpenSSL and exposed sensitive information to hackers, was rated at a 5. Shellshock is rated at 10. In addition, the bar for exploitation is pretty low so any attacker can easily take advantage of it.

Bash runs on Unix based systems which means that operating systems like Linux and Mac OS X, mobile devices running Android and things that use a subset of Linux like any smart device, cameras, multimedia appliances and even hospital equipment are vulnerable. Web servers are particularly at risk.

Right now, there is no consensus on exactly how many devices are at risk and it’s unlikely we’ll know soon.

Dan Kaminsky, an internet threat expert, said

“We don’t actually know how widespread this is. This is probably one of the most difficult-to-measure bugs that has come along in years.”

This is because in addition to Shellshock, a system also has to be running a second set of vulnerable code to be targeted. Details will likely emerge in the coming weeks and months.

Manufacturers are already releasing updates for devices and systems vulnerable to Shellshock and your best bet to be protected is to update software on anything that runs Bash as soon as possible.

Talal is a Director at ProPakistani. Reach out at [email protected]

  • Amir Bilal

    Both of them have their own importance but in my opinion ShellShock was a bigger threat. HeartBleed was specific to OpenSSL so we can say limited/specific scope but SS is effecting millions of devices including routers, personal computers, servers, systems running on factory floors and power plants.

    • Shahid Saleem

      In actuallity a lot of those devices (like PTCL DSL modems, etc) do not ship with bash, they ship with busybox and sometimes a shell but not bash.

      As long as /bin/sh is NOT bash and your dhcp client is not stupid, you are safe.

  • Amir

    Those good old days when Linux was considered the most secure OS.

    • Shahid Saleem

      Um, it is still secure. In fact, this bug does not even affect all Linux systems. For example, it does not affect Debian or Ubuntu systems (they use dash as /bin/sh, not bash).