A newly discovered bug could make it possible for hackers to remotely issue commands to Web servers — which could mean big trouble for companies whose servers are affected, according to a few cyber security experts.
The issue, which is currently being called the “Bash” bug or “Shellshock,” was discovered by the security team at software company Red Hat on Wednesday.
Some experts are calling the Bash bug an even larger threat than the Heartbleed vulnerability, which was discovered in April and is still known to be affecting thousands of devices.
Bash is something that will affect companies more than humans because it involves web servers, and most every users aren’t running their own web servers.
Here’s a detailed overview of what it is and who might be affected.
What It Is
The Bash bug is a vulnerability that can allow a hacker to issue remote commands to web servers. Since the bug makes it possible for a hacker to tell a server to do anything he or she wants, there’s a risk that private information can easily be stolen from affected servers.
The exploit affects servers and systems that use a language interpreter called Bash to process commands. Certain versions of Linux and Unix use Bash, and Mac OS X 10 Mavericks also uses it since it’s based on an underlying Unix platform, Satnam Narang, a security response manager at cyber security firm Symantec, told Business Insider.
But that doesn’t mean every single device running on Linux is vulnerable to the Bash bug.
“There’s a list of requirements that makes these servers vulnerable,” Trey Ford, global security strategist for Rapid7 told Business Insider.
According to Ford, servers using the bash shell (or interpreter) are only vulnerable if they’re capable of passing commands remotely over the internet. That’s what could make it susceptible to intruders.
The vulnerability has been around for about 20 years — as long as Bash has been implemented in operating systems — but has only been discovered this week.
“Testing software is really hard,” Ford said. “Software is written by humans. Humans are inherently flawed; we make mistakes. Those mistakes manifest themselves inside the code. Sometimes it take a long time for these vulnerabilities to be identified.”
Why It’s So Dangerous
Although the Bash bug won’t affect nearly as many devices as Heartbleed, the consequences could be much more severe. That’s because Bash allows hackers to remotely execute commands, while Heartbleed only allows intruders to steal information from servers.
“This is definitely much different than Heartbleed and has much larger of an impact,” Narang said.
If a hacker can identify a vulnerable server, he or she can perform a number of different types of requests.
“The most important one is [hackers] can tell that server in a command, ‘Hey, why don’t you connect back to me so I can see what’s on your server,'” Narang said. “They can also get that server to send back information from it via email.”
One of the biggest problems, however, is that many systems that don’t get updated regularly won’t receive the necessary patch to fix the vulnerability. This can include things like routers, which aren’t updated very frequently, according to Narang.
Who Should Be Worried About It
The Bash bug also differs from Heartbleed in that its scope is much smaller. Bash isn’t likely to affect your everyday user. But it could have detrimental effects for any company with a web presence.
“You can be fairly confident that anyone that manages an internet presence or an enterprise, all around the world have administrative teams online watching this,” Ford said. “The whole world is scrambling to understand what this means for their company.”
But, as Ford mentioned earlier, not every device running some form of Linux, Unix, or Mac OS X 10 Mavericks is vulnerable. It will most likely impact businesses running their own servers, and Narang notes that there probably won’t be any impact on Windows devices.
What You Can Do To Be Safe
The complete patch for this bug is still underway, but there are some precautions you can take in the meantime. If you can take your servers offline without it posing too much of a risk to your business, it may be a good idea to do so, Ford said. Using a firewall for your website might help, but there’s no guarantee.
In the meantime, administrators should look through the server logs to make sure no suspicious commands have been given.