Why Shellshock Bug Is Way Nastier Than Heartbleed

NEWS ANALYSIS: Expert says that if your operating system is not patched automatically, install an update as soon as possible.

Download the authoritative guide:

The nasty Shellshock bug that surfaced late on Sept. 24 can easily take down Linux and Unix operating systems and cause widespread havoc because it delves deeper into the operating system kernel than any previous worm, a veteran security expert told eWEEK.

Because Shellshock uses as entrance the common command execution shell known as bash [for Bourne-Again SHell], it can allow hackers to potentially take control of hundreds of millions of machines around the world, unless stakeholders get the operating systems for their machines patched as soon as possible.

"There's a huge set of dependencies every time a system boots -- every time many systems do anything, bash is somehow involved," Carson Sweet, CEO and founder of cloud security provider CloudPassage, told eWEEK. "The bug allows a remote attacker to execute arbitrary code directly into the core of these systems. It's bad -- real bad."

Sweet has 22 years of experience in the security business and was a high-ranking technical executive with RSA Security before founding CloudPassage in 2010. CloudPassage secures cloud infrastructure for large enterprises on a 24/7 basis and automates vulnerability management throughout enterprise cloud hosting environments.

Go here to read another news perspective from eWEEK's Robert Lemos.

Millions of Systems Vulnerable

Attributes of Unix are used in millions of public and private networks -- in data center web servers, database servers, server farms (like those used by social networks), and in many specialized servers. The bash shell is used in many systems.

Unix components also serve as key elements of other operating systems, such as all Linux distributions, Oracle Solaris, and Apple's OS X operating system. Windows systems aren't off the hook, either; the Bash component is used in some of them, Sweet said.

Cleaning this up is going to be a huge task, Sweet said. All the operating system vendors and security providers have either finalized their patches or are finishing them now; all users of Linux, OS X and even a number of Windows and Android devices need to be proactive and download and install system updates as quickly as possible, he said.

Once Shellshock gets into a system kernel, that OS image is as good as hacked.

Shellshock is similar to last spring's Heartbleed bug in that it allows a hacker to exploit a wide range of servers and other devices. But Heartbleed, which infected an estimated 500,000 computers, only broke into security layer, not into the center of the operating system itself. Shellshock has the potential to wreck millions of systems.

Heartbleed Hit Security, Not the Kernel

"Heatbleed, for example, allowed people to steal data from systems using SSL (secure socket layer), and SSL is used on web servers, some database servers, and so on. But Bash is used in everything," Sweet said.

"We're talking about web servers, database servers, soda machines, cars ... this is really broad. Because it's goes so deep, it's tied right into the core functions of the systems, thus it allows pretty much anything to be done."

Red Hat, the North Carolina-based company that distributes the most widely used commercial version of Linux, determined that its first patch issued Sept. 25 was incomplete, warning later in the day that hackers could still use Shellshock to take over a machine. The company said it is working on a new patch.

The National Institute of Standards and Technology said that the Shellshock vulnerability rates a 10 out of 10 in terms of its severity, impact and exploitability. But it also ranks low in terms of its complexity, meaning it could be easily used by hackers, The New York Times reported Sept. 25.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...