Is the Shellshock Vulnerability the new Heartbleed or something worse?

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

Since its discovery last week the Shellshock vulnerability in Bash has been hitting the headlines, with some observers predicting a digital armageddon. Bash is open source software that runs onmillions of Linux and UNIX based systems including web servers,and every Apple OS X device.

Update: Apple has now released apatchfor versions of OS X which fixes the vulnerability. Technical information andthe patchcan be

downloaded here

.

Even defence systems are vulnerable we are warned with cyber attackers already planning devastating attacks, according to the FT. “One of the most acute and pervasive online security loopholes ever identified.” it said.

So concerned was the National Cyber Security Division of the US Department of Homeland Security that they rated it 10 out of 10 for both exploitability and impact, which not surprisingly gave it an overall score of 10 for severity.

However some may argue that with been here before, when

Heartbleed

made the rounds earlier this year and then was quietly contained. But this may well be different.

"Shellshock is a serious bug.It affects a large portion of the servers out there and, in addition, it is incredibly easy to exploit, since it's a simple command injection. This vulnerability has all the characteristics that make it a perfect tool for writing a self-spreading worm. Fortunately, we haven't seen one - yet.I think we are in for some interesting times." said

Giovanni Vigna

, CTO at anti malware specialistsLastline and

keynote speaker at Cyber Security Expo

.

Just like Heartbleed the Bash bug is easy to fix but the real difficulty is identifying how many systems may be already affected, and whether they have already been compromised.

Butunlike Heartbleed, the Shellshock bug is much more active, it can enable hackers to run programs in the shell, write files as well as copy and delete them.

Uri Rivner, head of cyber strategy at cognitive biometrics firm

Biocatch

and a keynote speaker at

Cyber Security Expo

, believes this is serious and the repercussions will last some time.

"The internet will be a notch more dangerous in the coming days as web site administrators begin to apply patches for the massive new vulnerability. Bash is popularly used in web servers based on Linux and Unix, which are considered relatively safer than other operating systems, so the impact is considerable. While the big websites will quickly find a remedy, there will be a long tail of smaller sites that will not respond fast enough and will succumb to the host of cyber criminals already rubbing their hands and launching attacks based on the new loophole." he said.

According to Rivner, the main objective for these hackers will be digging for user names, passwords, email addresses and credit card numbers stored in the site, as well as using them for drive by download attacks to install trojans on visitor machines.

However, another Cyber Security EXPO keynoter

Jon Callas,

CTO and co-founder of

Silent Circle

is in no doubt it's a serious problem but it may have been over hyped. "It's a huge impact because bash is the default shell on many operating systems. Thus, any problem in bash has a huge impact, a minor problem would be a minor problem everywhere. But it isn't, however, as serious as some news organisations would like it to be. It isn't worse than Heartbleed." he said.

As for Apple, a company not used to major vulnerability issues, itstypically upbeat statement read: “With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced Unix services. We are working to quickly provide a software update for our advanced Unix users."

Topics