Up to 50% of web servers could be vulnerable to the bug
A potentially huge security flaw has been unearthed in a commonly used computer operating system, that could impact hundreds of millions of devices around the world. Will Goodbody looks at what the fuss is all about.
So what’s all this talk about BASH?
Unix is an operating system which has been used as a foundation for the creation of many others, including the hugely popular Linux and Apple’s Mac OS. Bourne Again Shell or BASH is a text-based command system that is built into Unix-based operating systems. Put simply, BASH allows users to type commands into the computer to make things happen. But it has evolved many other important applications too.
And something has gone wrong?
BASH has been around for decades. But it has recently emerged that it contains a fairly fundamental security flaw or bug, which has been dubbed Shellshock. The issue is highly technical, and really one that only those familiar with computer coding will fully understand (see RedHat’s explanation here). But suffice to say, those experts in the field say it is very serious.
But computer security bugs are discovered all the time. What’s so special about this one?
Two things make this bug seriously worrying. First, if Shellshock is successfully exploited, it can allow hackers to get complete access to and control of the computer the BASH shell is running on. That means the hacker may be able to do everything from accessing files, to downloading information and monitoring ongoing activity.
And experts say it is easy enough to exploit. Second, because Unix based operating systems are used so widely, so too is BASH. In particular, web page hosting servers running the Apache system are vulnerable. Fireeye estimates that, conservatively, 20-50% of global servers supporting web pages could be at risk.
So, websites might be hit. Anything else?
Yes. Apart from computer servers, BASH is used in a whole variety of devices, from CCTV cameras to routers. It is also used in some of Apple’s Mac operating systems. The good news for Microsoft Windows users, however, is that it is not affected. Nevertheless, estimates put the number of devices, big and small, important and less so, that may be vulnerable as a result of the issue at up to 500 million. That may, in the long-run, prove an overestimate. But it also could be an underestimate.
Is this the same as that Heartbleed bug we also heard about recently?
No, it is completely different. Heartbleed worked in a different way, allowing traffic between computers to effectively be eavesdropped upon and intercepted. It also affected up to 500,000 computers, which puts it in the ha’penny place compared to this latest beast.
Do I need to do anything? Can I do anything?
It depends. If you are responsible for the IT system of an organisation, which has servers, websites, etc, then you probably do need to do something. The first thing to do is to carry out a scan of your system, to identify whether the vulnerability is present. Linux distributors have started to issue patches. You should check with yours, although some experts have questioned how complete some of the updates are. You can also deactivate the BASH shell, but that may leave some of your applications not working properly. You can also switch your default shell away from BASH to something else. However, that too might create issues.
If you are an Apple Mac user, or have other internet connected devices in your home, watch for updates that may be pushed out by the manufacturers and install them immediately.
Are there any other risks?
Unfortunately you cannot do anything about the servers, controlled by other organisations, which hold your data or which your computers connect to. The danger is that if a hacker gains access to one of them, they could either steal personal information about you, or upload malicious software which you then unwittingly download. Hence, you should keep your firewall and anti-virus software up to date, and regularly scan your devices.
Is there any good news?
Of course, there’s always good news!
First, now we know about the bug, people responsible for patching it can go about their work – even if that is going to take a while. Second, so far security experts say they’ve seen no signs of the bug being successfully exploited. However, a number have already reported seeing malware (viruses) doing the rounds, which are designed to take advantage of the flaw. Finally, the chances are that hackers will go for the big boys – large corporations, organisations etc, where the potential bounty from a successful breach far outweighs the potential gains they might get from hacking into your home computer system.
Comments welcome via Twitter to @willgoodbody