Q&A: What Are the True Risks of the Bash Bug?

Internet security experts are warning that a new programming flaw known as the "Bash Bug" may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Q. What is the Bash Bug, and why is it a big deal?

A. The bug, also known as "Shellshock," is in a commonly used piece of system software called Bash. Bash has been around since 1989 and is used on a variety of Unix-based systems, including Linux and Mac OS X.

Devices that use Unix in some form include many servers, routers, Android phones, Mac computers, medical devices and even the computers that create bitcoins. Systems running power plants and municipal water systems could also be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet to avoid opening them to such risks.

Bash is a command shell -- "the thing you use to tell your computer what you want it to do," explains Christopher Budd, global threat communications manager at security firm Trend Micro. Thus, exploiting a security hole in Bash means telling your computer, or other systems, what to do.

Q. Why are people saying it's worse than "Heartbleed," the flaw that exploited security technology used by hundreds of thousands of websites?

A. While Heartbleed exposed passwords and other sensitive data to hackers, Bash Bug lets outsiders take control of the affected device to install programs or run commands.

On the other hand, Bash Bug might be harder to exploit. Heartbleed affected any system running OpenSSL, a common Web encryption technology. With Bash Bug, your system actually has to be using Bash, Budd said....

Comments are closed.