Move over, Heartbleed, because here comes Shellshock. This security threat has the potential to be even bigger than Heartbleed because of the way it lets attackers remotely access victims computers through the Bash command line shell for Unix and Linux, plus it potentially affects Mac OS X and the iPhone, iPad, and iPod touch.
Bash's Shellshock flaw poses big security threat for Macs and other Linux systems
Shellshock is about a 25 year old security flaw in the Bash shell that lets code held in certain variables to be executed immediately and without the victim's knowledge. That code could give attackers deep level access to the system as well as any data they want to harvest.
The flaw is a serious threat for Mac users even if they don't typically use the Terminal app to access their computer's Unix underpinnings because many of the apps they use may be tapping into Bash on some level.
Robert Graham from Errata Security said,
We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we'll never be able to catalogue all the software out there that is vulnerable to the Bash bug.
The treat extends beyond OS X and iOS, too. Many Linux-based computers are susceptible, as are a wide range of other devices such as routers, network connected storage systems, and even devices that can be programmed via the Internet like home automation products — some of which can't be patched, so they'll always be vulnerable.
Shellshock is being compared to Heartbleed, which is an OpenSSL flaw that gained widespread coverage earlier this year. That issue posed a serious to online servers and other computers because of an issue that let attackers steal encryption keys without being detected. With those keys in hand, attackers could intercept and decrypt data passing through online servers.
Apple said OS X and iOS weren't vulnerable to Heartbleed, but other companies scrambled to patch the flaw in their products. Because some companies with vulnerable devices aren't around any more, or aren't supporting their older products, many devices on the Internet are still open to Heartbleed attacks.
"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time," Mr. Graham said. "That means there are lots of old devices on the network vulnerable to this bug."
He added that primary servers likely won't be vulnerable for long many other devices running embedded versions of Linux will be. That doesn't bode well for the computer and smartphone-toting community — including potentially iPhone and Android users — because the devices they use are potentially vulnerable to the Shellshock exploit.
Once an attacker has access to a system through the Bash shell, there isn't much they can't do.
"The potential is enormous – 'getting shell' on a box has always been a major win for an attacker because of the control it offers them over the target environment," said security expert Troy Hunt. "Access to internal data, reconfiguration of environments, publication of their own malicious code etc. It’s almost limitless and it's also readily automatable."
Up next: What Shellshock Means for You