Experts give us their reactions to the Bash vulnerability in Linux, Unix and Mac.
Hundreds of millions of computers are potentially affected by Shellshock, a new bug found in Linux, Unix and Mac. The flaw is related to the command processor called Bash, short for Bourne again shell, which is common to Linux, Unix and Mac systems.
So what does this all mean for us? We asked the experts, and this is what they said.
1) "It’s worse than Heartbleed"
Earlier this year the tech media went into meltdown over a bug on OpenSSL, a commonly used web security layer. Eventually dubbed "Heartbleed", it went on to affect an estimated 500,000 machines, and has become a benchmark for vulnerabilities. Shellshock is thought to affect 500 million.
Darien Kindlund, director of threat research at security firm FireEye, said: "This bug is horrible. It’s worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic. Conservatively, the impact is anywhere from 20% to 50% of global servers supporting web pages."
2) "It’s too early to say"
While many have amped up the fear over this bug, others have urged a more cautious response. "It’s too early to be able to say how many machines will be affected," said Lawrence Jones, chief executive of hosting firm UKFast. "Looking at what we’ve seen so far through our own testing, it appears that you can’t exploit much without having prior access to the system."
He added that few systems would be vulnerable to hackers executing code from the outside, which should be a relief for any firms who rely on affected servers. But like everyone else he still recommends patching your systems, as many miscreants will be looking to exploit the bug while they still can.
3) Internet of Things is "most at risk"
Linux may be unfamiliar to most tech consumers, but it is the operating system that underlies many businesses and web servers, and in commercial terms it is vital. Joe Hancock, cyber security specialist at insurance firm AEGIS London, warned that the machines most at risk were Industrial Control Systems (ICS) and Internet of Things (IoT) devices.
"Any legacy device that uses a set of web-scripts to interact directly with the underlying Linux operating system via Bash could be potentially remotely monitored or controlled," he said. "In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched."
4) There are "currently no widespread exploits"
Though Shellshock is something that system administrators have to respond to, it is likely that right now the dangers of it are limited,at least according to David Chismon, senior researcher at MWR InfoSecurity. System admins need to inspect their logs, but now is no time to panic.
"As the exploit has only been known publically for a number of hours, there are currently not widespread exploits against common services," he said. "However many people are currently working on developing these and there is a concern that some may be released in the next few days."
5) Like Heartbleed it will have "a long tail"
When Heartbleed hit Hugh Thompson of security firm Blue Coat told CBR that the bug was likely to have a "very long tail" as companies fail to patch. Given that poor patching is an issue those in cybersecurity regularly flag up, it seems likely we will see a repeat of this effect.
"Shellshock is set to have a ‘long tail’ effect in a similar way to the Heartbleed bug in that not all servers will be updated and will therefore remain exposed," said Garve Hays, a software architect at security firm NetIQ. "By June this year, there were still 300,000 servers that had not been patched following Heartbleed, so it’s reasonable to expect similar vulnerabilities to remain in this case."