Sep 25, 2014

How serious of a security threat is the “Bash bug?”

I’ve heard reports of a new security threat called the Bash bug (or Shellshock), and some of them claim that this is a more serious issue than Heartbleed. Is this just hyperbole, or is the Bash bug really that great of a concern? If so, what makes it such a significant threat?

What is the Shellshock Bash bug and why does it matter?

"By now you may have heard about a new bug found in the Bash shell. And unless you're a programmer or security expert, you're probably wondering if you should really worry. The short answer is: Don't panic, but you should definitely learn more about it, because you may be in contact with vulnerable devices.

This bug, baptized "Shellshock" by Security Researchers, affects the Unix command shell "Bash," which happens to be one of the most common applications in those systems. That includes any machine running Mac OS X or Linux. The "shell" or "command prompt" is a piece of software that allows a computer to interact with the outside (you) by interpreting text. This vulnerability affects the shell known as Bash (Bourne Again SHell), which is installed not only on computers, but also on many devices (smart locks, cameras, storage and multimedia appliances, etc.) that use a subset of Linux."

Bash impacts As for how serious it is, that depends who you ask. According to a statement from Red Hat, “...some devices may be affected by this flaw, but it won’t be very common.” On the other hand, some security firms are saying that this will impact 30-50% of all servers supporting web pages. 


A National Institute of Standards and Technology rated it as a security concern that is a 10 of 10, so they seem to take it seriously. US-CERT does as well, saying Bash is, “... a vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.” 


US-CERT also provides links for updates that patch the vulnerability. https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability 

Answer this