Skip to Content

Why the Shellshock Bug Is Worse than Heartbleed

We still don’t know how many systems are vulnerable to the Shellshock bug, but it is likely in the millions.
September 30, 2014

Last Wednesday a serious software vulnerability called Shellshock was reported; the bug could be exploited to compromise millions of servers and other devices worldwide. We still don’t know how wide and costly the problem will be, but we already know that Shellshock is more serious than the Heartbleed vulnerability that received wide attention back in April.

Heartbleed affected software used by servers to encrypt and secure communications. The flaw allowed attackers to get sensitive information such as encryption keys or passwords from vulnerable servers that could be used to secretly access the system later, for example to steal personal data.

Shellshock allows an attacker much more power. They can use it to take complete control of a system even without having a username and password. Exploitation of the vulnerability is simple and doesn’t require advanced skills.

Because an attacker can use Shellshock to remotely execute any code on a system, it could be used to create a self-replicating “worm.” It would use one compromised system to attack other systems, and so on, propagating over the network and compromising hundreds or thousands of system in little time.

The Shellshock vulnerability was found in a software package called Bash, a command line interpreter, or shell, that provides a powerful, flexible way to run commands on a computer. It is the default for all Linux-based operating systems and Apple’s Mac OS X. Bash is also widely used on simple Internet connected devices, many of which run versions of Linux, meaning that not only servers could be compromised but also some home routers, IP cameras, etc.

Some popular networking devices widely used by corporations have already been identified as vulnerable. Mobile devices are not at risk, unless you have modified your Apple or Android device to gain more control over its software.

Shellshock is dangerous because while Bash is not directly exposed to the Internet, some software that is can make use of Bash internally. For example, the “DHCP” software that negotiates your connection to a Wi-Fi network can pass along commands to Bash. This means that someone with a vulnerable operating system (mostly Linux) could be attacked when connecting to an untrusted Wi-Fi. (It’s worth noting that connecting to untrusted Wi-Fi networks is always a risk.)

Within a day of Shellshock being reported, there was evidence that it was being used to stage attacks “in the wild.” Information security departments at all companies and organizations should take preventive actions such as applying security fixes and close monitoring of internal networks. The United States Computer Emergency Readiness Team has issued an alert, and along with other security organizations worldwide is recommending users and system administrators apply security fixes as soon as possible.

However, it’s still too early to come up with an exhaustive list of affected devices that need updating. And although researchers and device vendors are publishing details about which devices are vulnerable and which aren’t, for some devices in use, no one will be checking because they are no longer supported, or documentation is lacking.

The faster systems are identified and patched, the lower the number of security compromises—and financial losses—that will be caused by Shellshock. It’s possible the economic effects of this bug will be severe because one compromised system can affect a lot of people. For instance, a compromised e-commerce site could not only cause lost sales due to downtime needed to patch, but also expose millions of credit card details, inconveniencing consumers.

Cesar Cerrudo is the chief technology officer at the computer security company IOActive Labs.

Keep Reading

Most Popular

Conceptual illustration showing a file folder with the China flag and various papers flying out of it
Conceptual illustration showing a file folder with the China flag and various papers flying out of it

The US crackdown on Chinese economic espionage is a mess. We have the data to show it.

The US government’s China Initiative sought to protect national security. In the most comprehensive analysis of cases to date, MIT Technology Review reveals how far it has strayed from its goals.

Image of workers inspecting solar panels at a renewable energy plant
Image of workers inspecting solar panels at a renewable energy plant

Renewables are set to soar

The world will likely witness a wind and solar boom over the next five years, as costs decline and nations raise their climate ambitions.

light and shadow on floor
light and shadow on floor

How Facebook and Google fund global misinformation

The tech giants are paying millions of dollars to the operators of clickbait pages, bankrolling the deterioration of information ecosystems around the world.

travelers walk through Ronald Reagan Washington National Airport
travelers walk through Ronald Reagan Washington National Airport

We won’t know how bad omicron is for another month

Gene sequencing gave an early alert about the latest covid variant. But we'll only know if omicron is a problem by watching it spread.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.