Shellshock Bash Bug Could Be Biggest Threat Ever

Remember the Heartbleed bug? The Shellshock vulnerability, also known as the Bash (Bourne-Again Shell) bug, could be even a bigger threat. ThatEUs a big statement. But security experts say "bigger than Heartbleed" is not an understatement.

Keep in mind that Heartbleed has gone down in security history as one of the worst bugs ever, potentially giving hackers access to user passwords and even tricking people into using fake versions of popular Web sites.

Robert Graham, a security analyst at advanced persistent threat firm Errata Security, offers several reasons why Shellshock may be a bigger deal than Heartbleed. Again, remember that Heartbleed affected millions of Web sites -- an estimated two-thirds of web servers.

EUThe first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion,EU Graham said in a blog post. EUThus, we'll never be able to catalogue all the software out there that is vulnerable to the Bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.EU

Why Bash Bug is Bigger

Graham offers a second reason: While the known systems -- like your Web server -- are patched, unknown systems remain unpatched. That same scenario holds true with the Heartbleed bug, as six months after the revelation there are still hundreds of thousands of vulnerable systems, Graham noted. Although he said those systems are more often equipment such as Internet-enabled cameras, itEUs still noteworthy.

EUInternet-of-Things devices like video cameras are especially vulnerable because a lot of their software is built from Web-enabled Bash scripts,EU Graham said. EUThus, not only are...

Comments are closed.