Do you think that Heartbleed was the worse case of security breaches over internet? Think again. A new security flaw in Bash, a program that runs on millions of computers worldwide, has recently come to light.
Dating back to 1989, Bash is a command shell which basically tells your computer what to do. Shellshock is a vulnerability in the Bash software and it can allow any malicious entity to run commands and install programs on your device. It can also allow an attacker to take over your system and access private information and make changes.
It’s exactly as bad as it sounds. Security flaws are assessed on a Common Vulnerability Scoring System which is an industry standard. Heartbleed, which was present in OpenSSL and exposed sensitive information to hackers, was rated at a 5. Shellshock is rated at 10. In addition, the bar for exploitation is pretty low so any attacker can easily take advantage of it.
Bash runs on Unix based systems which means that operating systems like Linux and Mac OS X, mobile devices running Android and things that use a subset of Linux like any smart device, cameras, multimedia appliances and even hospital equipment are vulnerable. Web servers are particularly at risk.
Right now, there is no consensus on exactly how many devices are at risk and it’s unlikely we’ll know soon.
Dan Kaminsky, an internet threat expert, said
“We don’t actually know how widespread this is. This is probably one of the most difficult-to-measure bugs that has come along in years.”
This is because in addition to Shellshock, a system also has to be running a second set of vulnerable code to be targeted. Details will likely emerge in the coming weeks and months.
Manufacturers are already releasing updates for devices and systems vulnerable to Shellshock and your best bet to be protected is to update software on anything that runs Bash as soon as possible.