Cybersecurity: What is the Bash Shellshock bug?

'Shellshock' is a bug in 'Bash,' software that runs on Mac and Linux computers. The 'Bash' bug is believed to be as serious a threat as 'Heartbleed.'

Damian Dovarganes/AP/File
There are warnings that a security flaw known as the "Bash" bug may pose a threat to computers and other devices using Unix-based operating systems such as Linux and Mac OS X.

Hackers have launched attacks exploiting the newly identified "Shellshock" computer bug, researchers warned on Thursday, as news surfaced that an initial patch for the issue was incomplete, suggesting even updated systems were vulnerable.

The attacks came as security experts scrambled to determine how many systems and what types of computers are vulnerable to "Shellshock," which some say may be as serious as the "Heartbleed" vulnerability that surfaced in April.

"Shellshock" is a bug in a piece of software known as "Bash" that runs the command prompt on many Unix computers, including some Linux servers that run websites, and tiny computers inside consumer devices such as routers and web cams.

"We don't actually know how widespread this is. This is probably one of the most difficult-to-measure bugs that has come along in years," said Dan Kaminsky, a well-known expert on Internet threats.

For an attack to be successful, a targeted system must be accessible via the Internet and also running a second vulnerable set of code besides Bash, computer experts said.

"There is a lot of speculation out there as to what is vulnerable, but we just don't have the answers," said Marc Maiffret, chief technology officer of cybersecurity firm BeyondTrust. "This is going to unfold over the coming weeks and months."

Joe Hancock, a cybersecurity expert with insurer AEGIS in London, said in a statement that he is concerned about the potential for attacks on home broadband routers and controllers used to manage critical infrastructure facilities.

"In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched," Hancock said.

Linux makers released patches to protect against attacks on Wednesday, though security researchers uncovered flaws in those updates, prompting No. 1 Linux maker Red Hat Inc to advise customers that the patch was "incomplete."

"That's a problem. It's been a little over 24 hours and we're still in the same boat," said Mat Gangwer, lead security consultant at Rook Security. "People are kind of freaking out. Rightfully so."

Russian security software maker Kaspersky Lab reported that a computer worm has begun infecting computers by exploiting "Shellshock."

The malicious software can take control of an infected machine, launch denial-of-service attacks on websites to disrupt their operations and scan for other vulnerable devices, including routers, said Kaspersky researcher David Jacoby.

He said he did not know who was behind the attacks and could not name any victims.

"Heartbleed" is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk, as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technologycompanies to issue security patches for hundreds of products that use OpenSSL. 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.