Ever since yesterday’s news of the Shellshock Bash bug broke cyber security experts have been lining up to make clear how bad it really is.
Unlike Heartbleed, which affected mainly servers, Shellshock leaves a whole host of systems vulnerable including Apple OSX systems and many internet of things devices with embedded code that’s based on Unix or Linux.
Professor Mike Jackson cyber security expert at the UK's Birmingham City University says, "Obviously everyone wants to know if they might be vulnerable to attack. If you are an Apple PC user then the immediate answer is 'Yes'. Apple's OS X operating system is Unix based and therefore vulnerable.
Window’s users should not however be complacent. Your PC might be safe but what about the router you use for your broadband? Like as not it will use Unix-based software and therefore may be at risk of attack".
Because a great deal of the web relies on Apache which is also Unix based many internet sites are at risk too. This leads to general consensus that Shellshock is - or at least has the potential to be - worse than Heartbleed. Joe Siegrist, CEO and co-founder of LastPass sums up why, "The reason this could be potentially worse than Heartbleed is that with Shellshock you can make things run on a server, and get access to anything on that server, so in that way the exploits could be worse in terms of the actions that can be taken and the data at risk, and have worse consequences than Heartbleed."
The internet of things also represents a target rich environment for hackers thanks to this bug. Corero Network Security's Vice President of Product Management, Bipin Mistry says, "The Internet of Things or Machine to Machine could enable millions of network attached devices, both hardwired and mobile, to become bots for initiating amplification or high bandwidth attacks - hackers and attackers know this quite well and are exploiting the vulnerabilities that are substantiated in IoT devices".
A huge number of IoT devices means the potential to create large botnets. To combat this Mistry suggests, "Above and beyond the threat protection, there is additional value in understanding the details of the attack from analytics and insight and then rapidly turn the visibility around and provide even greater threat protection for the business".
Daniel Ingevaldson, CTO of Easy Solutions warns that companies must remain vigilant, "Everyone should watch their logs carefully - this exploit is noisily and easily logged - and patch as soon as possible. In addition, given the risk that the patches may not be effective, organizations should consider monitoring to ensure their devices are not being used to host phishing or other attacks."
Ron Gula, CEO and CTO of Tenable is worried that some companies may struggle to deal with the problem. "Auditing systems for ShellShock will not be like scanning for Heartbleed. Heartbleed scans could be completed by anyone with network access with high accuracy.
With ShellShock, the highest form of accuracy to test for this is to perform a patch audit. IT auditing shops that don't have mature relationships with their IT administrators may not be able to audit for this".
Quite how serious Shellshock is only time will tell but we’ll leave the last word to Birmingham City University's Mike Jackson, "Literally millions of websites could be open to the exploitation of the Shellshock bug. The damage it could cause is as yet unknown. The only safe prediction is that given the number of computers which are at risk that it will be years before this vulnerability is completely eradicated".