Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Cesar Cerrudo

Why the Shellshock Bug Is Worse than Heartbleed

We still don’t know how many systems are vulnerable to the Shellshock bug, but it is likely in the millions.

  • September 30, 2014

Last Wednesday a serious software vulnerability called Shellshock was reported; the bug could be exploited to compromise millions of servers and other devices worldwide. We still don’t know how wide and costly the problem will be, but we already know that Shellshock is more serious than the Heartbleed vulnerability that received wide attention back in April.

Heartbleed affected software used by servers to encrypt and secure communications. The flaw allowed attackers to get sensitive information such as encryption keys or passwords from vulnerable servers that could be used to secretly access the system later, for example to steal personal data.

Shellshock allows an attacker much more power. They can use it to take complete control of a system even without having a username and password. Exploitation of the vulnerability is simple and doesn’t require advanced skills.

Because an attacker can use Shellshock to remotely execute any code on a system, it could be used to create a self-replicating “worm.” It would use one compromised system to attack other systems, and so on, propagating over the network and compromising hundreds or thousands of system in little time.

The Shellshock vulnerability was found in a software package called Bash, a command line interpreter, or shell, that provides a powerful, flexible way to run commands on a computer. It is the default for all Linux-based operating systems and Apple’s Mac OS X. Bash is also widely used on simple Internet connected devices, many of which run versions of Linux, meaning that not only servers could be compromised but also some home routers, IP cameras, etc.

Some popular networking devices widely used by corporations have already been identified as vulnerable. Mobile devices are not at risk, unless you have modified your Apple or Android device to gain more control over its software.

Shellshock is dangerous because while Bash is not directly exposed to the Internet, some software that is can make use of Bash internally. For example, the “DHCP” software that negotiates your connection to a Wi-Fi network can pass along commands to Bash. This means that someone with a vulnerable operating system (mostly Linux) could be attacked when connecting to an untrusted Wi-Fi. (It’s worth noting that connecting to untrusted Wi-Fi networks is always a risk.)

Within a day of Shellshock being reported, there was evidence that it was being used to stage attacks “in the wild.” Information security departments at all companies and organizations should take preventive actions such as applying security fixes and close monitoring of internal networks. The United States Computer Emergency Readiness Team has issued an alert, and along with other security organizations worldwide is recommending users and system administrators apply security fixes as soon as possible.

However, it’s still too early to come up with an exhaustive list of affected devices that need updating. And although researchers and device vendors are publishing details about which devices are vulnerable and which aren’t, for some devices in use, no one will be checking because they are no longer supported, or documentation is lacking.

The faster systems are identified and patched, the lower the number of security compromises—and financial losses—that will be caused by Shellshock. It’s possible the economic effects of this bug will be severe because one compromised system can affect a lot of people. For instance, a compromised e-commerce site could not only cause lost sales due to downtime needed to patch, but also expose millions of credit card details, inconveniencing consumers.

Cesar Cerrudo is the chief technology officer at the computer security company IOActive Labs.

At EmTech MIT, our journalism is brought to life.
Network with like-minded professionals to stay in the know.

Learn more and register
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.