The latest on the worse-than-Heartbleed “Shellshock” bug



A vulnerability in the tool used by many operating systems to interface with Unix’s command prompt was revealed earlier this week, and many have declared that it’s more dangerous than the infamous Heartbleed bug, largely because it offers complete access to compromised devices.

The bug, which has been dubbed “Shellshock” by researchers and the media, will probably be in the headlines for some time. (Or at least that’s what I hope, given the importance of continued scrutiny in face of major security issues like this.) Here are the latest revelations about the bug.

Apple says most OS X users won’t be affected

Apple’s OS X software was among those said to be vulnerable to Shellshock, but the company has released a statement saying that most Mac users won’t be affected by the bug. As iMore reported this morning after receiving a statement from an anonymous Apple spokesperson:

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

This narrows the number of devices that could be affected by Shellshock. Other software has also been patched, which means that people using many popular Linux distributions don’t have to worry about having their computers attacked through the bug, according to US-CERT.

Hackers are already exploiting the bug

Shellshock is already being exploited, according to numerous reports based on discussions with a variety of researchers. Reuters reported on Thursday that multiple “worms” spreading the bug and using it to take control of affected computers were discovered by Kaspersky and AlienVault. The Verge reported that one attacker is exploiting the bug to open and close the CD/DVD ports of random people — and that future attacks could be much more dangerous than that prank:

Higher-level network hardware may also be vulnerable. Researcher and journalist Ashkan Soltani says the most alarming attack vector he’s seen is a Bash vulnerability on F5 Security’s BIG IP service, which serves as a smart gateway sitting between web applications and users. The vulnerability itself is of limited-use — you’d have to be an authenticated F5 user to make the attack work — but it hints at a much larger and more troubling kind of Bash attack. “Many of the high-end networking systems are built atop a Linux / Unix platform that can often times be vulnerable,” Soltani says. “A vulnerability in a core networking equipment is significantly more problematic than of a single user’s computer since it allows redirection and man-in-the-middle on a mass scale.”

But the GNU Project’s Richard Stallman has dismissed it as a “blip”

Bash is the responsibility of one person tasked with updating and maintaining it, according to the Guardian, and some have called for increased scrutiny of such an important tool. (A similar thing happened when the Heartbleed bug was revealed to have been caused by a simple error that might have been noticed sooner if the foundation in charge of OpenSSL was better staffed.)

Yet that hasn’t stopped Richard Stallman, the leader of the GNU Project, from dismissing the Shellshock bug as a “blip” in an interview with the Guardian. Stallman even takes the chance to say that it’s better to have severe vulnerabilities like this, which were introduced by accident, than to trust commercial software that could’ve been intentionally compromised by its maker:

“In the long term, this will be a blip, it’s patched, people will install. It will be one of thousands bugs that people will exploit,” Stallman told the Guardian. “When users control the program, they can add features and fix bugs.”

“Any program can have a bug. But a proprietary program is likely to have intentional bugs, malicious functionality.”

And there will be more to come

Information about major security vulnerabilities tends to come first as a flood, then as a trickle. Heartbleed was incessantly covered after it was first revealed; things then slowed down even though there was still more to discuss about the bug and the problems it created. I imagine that Shellshock will follow a similar pattern: we’re going to learn a lot about it right now, then it will fade into the back of our minds before coming back to the forefront with a new piece of information.

[photo by Tambako]