shellshock-worm

A nasty bug in many of the world’s Linux and Unix operating systems could allow malicious hackers to create a computer worm that wreaks havoc on machines across the globe, security experts say.

The flaw, called Shellshock, is being compared to last spring’s Heartbleed bug because it lets attackers do some nasty stuff — in this case, run unauthorized code — on a large number of Linux computer servers. The flaw lies in Bash, a standard Unix program that’s used to connect with the computer’s operating system.

The good news is that it doesn’t take long to patch the bug. At Internet infrastructure provider CloudFlare, admins scrambled for about an hour this morning to fix the flaw, which was disclosed late on Tuesday. “We got 95 percent of it done within 10 minutes,” said Ryan Lackey, a security engineer at the company.

Because Shellshock is easy to exploit — it only takes about three lines of code to attack a vulnerable server — Lackey and other security experts think there’s a pretty good chance that someone will write a worm code that will jump from vulnerable system to vulnerable system, creating hassles for the world’s system administrators. “People are already exploiting it in the wild manually, so a worm is a natural outgrowth of that,” Lackey said.

To exploit the bug, the bad guys need to connect to software such as PHP or DHCP — which use Bash to launch programs within the server’s operating system.

There are still some important questions about the bug. One is whether other operating systems that use Bash — Mac OS, for example — are vulnerable. Another big one: How many Linux server applications and appliance-like Linux devices — things like storage servers or video recording devices — might be vulnerable to the flaw? Many of these Linux systems do not use the Bash software, but those that do could be vulnerable to attack and difficult to patch.

In the grand scheme of things, Shellshock is not as big of a problem as, say, phishing attacks, which continue to trick Internet users, said Robert Graham, CEO of Errata Security. However, it’s “slightly worse than Heartbleed,” he says. “It’s in more systems. It’s going to be harder to track them down and patch them, and you can immediately exploit it with remote code execution.” Heartbleed let criminals steal your username and passwords, but it didn’t make it quite so easy to run your own malicious software on a vulnerable system, Graham says.

Like Heartbleed, the new bug has been around for a long time, and was introduced in a widely used piece of open-source software. In the wake of Heartbleed, the open source community came up with some money to beef up the security of several popular open-source tools. And it may be time to add a few more — including Bash — to that list.