A bug discovered Tuesday evening in Linux and Unix operating systems could—potentially—allow hackers to wreak havoc on the Internet of Things (IoT).
The bug, named Shellshock but also called the Bash Bug, was discovered in Bash, short for a command prompt in Unix known as Bourne-Again Shell. Unix is used in corporate computer networks and is the basis of other operating systems, like Linux and Apple’s Macintosh operating system, so the threat could be widespread. However, it isn’t clear yet how this may affect Macs.
The flaw could ultimately prove to be more of a threat than the Heartbleed bug of earlier this year because Shellshock may be used by hackers to write code that could take over a machine, or run their own programs in the background. The National Institute of Standards and Technology states that the vulnerability is a 10 out of 10, in terms of its severity, impact and exploitability, but low in terms of its complexity so it could be easily used by hackers. The Department of Homeland Security’s United States Computer Emergency Readiness Team, or US-CERT, also issued a security warning about the vulnerability.
The problem is that the bug is used in the software of the Apache web servers that run—by some estimates—at least half of the world’s websites. It’s also used in the software that connects many “smart” home devices to the Internet, including household security systems and even lighting systems.
According to open source software company Red Hat, the bug affects any device that uses the Linux operating system, which means everything from calculators to cars, a CNN Money article reports. But in addition to Apple Macs, the bug also affects some Microsoft Windows and IBM machines. Google, however, says no Android machines are susceptible.
Red Hat researchers went so far as to classify the severity of the bug as “catastrophic,” the CNN Money article notes.
“The real scale of the problem isn’t clear yet, although it’s almost certain that hackers and security researchers are testing web services and Linux software and the results of these tests will probably be published in the coming days,” says David Jacoby, a security researcher at Kaspersky Lab, in a USA Today article. “The good news is that vendors of some of the most popular products affected by the vulnerability have already prepared patches that could at least partially eliminate the problem. Now it’s up to administrators managing vulnerable systems to determine how quickly they react and update vulnerable software.”
In the end, though, time will pass and people will forget about the threat. However, Norweigian cybersecurity consultant Per Thorsheim explains in the CNN Money article that even when the bug becomes old news, people will still be vulnerable.
“In a few days everything will be forgotten, and the hackers will feast on [this] for years to come,” Thorsheim says.
In the meantime, about all that can be done is to update devices as patches become available. Nonetheless, it’s difficult for the average person to figure out if, for instance, their home security camera is vulnerable. What’s more, it’s highly unlikely that companies and public institutions will go so far as to update every single computer.
What are your thoughts on Shellshock, or cyber-security threats in general? Does your company actively work to take necessary responses?