Shellshock: Bash bug 'bigger than Heartbleed' could undermine security of millions of websites – and there's nothing you can do to protect yourself

There's nothing you can do about it either - it's up to the experts to fix it

A security flaw discovered in one of the most fundamental interfaces powering the internet has been described by researchers as ‘bigger than Heartbleed', the computer bug that affected nearly every computer user earlier this year.

The 'Bash bug', also known as Shellshock, is located in the command-line shell used in many Linux and Unix operating systems, leaving websites and devices power by these operating systems open to attack.

Like Heartbleed, Shellshock is a pervasive flaw that security researchers say will take years to fix properly. The responsibility to do so however rests with webmasters and systems administrators – rather than average users.

Security firm Rapid7 has rated the bug as 10 out of 10 for its severity, but "low" for complexity - with hackers able to exploit it using just three lines of code.

However, unlike Heartbleed, Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.

If Heartbleed's effect on users was akin to unlocking everyone's front door simultaneously, sending people scrambling back home to turn the key (ie change their passwords) then Shellshock is like giving thieves a new type of crowbar to break in to houses with - they're just as likely to use older methods, but it's still a blow for general security. Security researchers are especially worried about its potential - but as yet unknown - effect on Apple Mac computers, which uses the Bash software which the bug exploits directly in the form of its command-line program Terminal.

Robert Graham, a security expert and CEO of Errata Security told The Independent: “It's really important that people who maintain websites make sure their computers are patched as quickly as they can. Hackers are already going to all websites and trying out this bug.”

Mr Graham added that as Shellshock affects “a common bit of code that is used all over the place” it will take a long time for experts to fix all affected systems. “Years from now we’ll keep finding yet another device that’s still not been patched,” he said.

The severity of Shellshock has been recognized by even the US government, with the US Department of Homeland Security releasing a warning about the bug and providing patches to fix affected servers.


Despite this, security experts have said that the affect of Shellshock will be minimal. “Of the top 10 ways hackers will hack computers this year, this won't make the list,” said Graham.

The bug itself was first identified by a security team at Red Hat, an American company that provides open-source software and has sponsored initiatives including the Fedora Project and the software for the One Laptop per Child initiative. 

It's been estimated that the bug has been present for at least a decade and most likely longer. Writing about the flaw on his blog, security researcher Michal Zalewski commented that it wasn't unusual for Shellshock to have gone unnoticed for so long:

"My take is that it's a very unusual bug in a very obscure feature of a program that researchers don't really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on."

Q&A: The shellshock bug

Q. What is Shellshock?

A. Shellshock is a mistake in the code of a program called Bash, which is typically installed on non-Windows operating systems such as Mac, Unix and Linux. The bug allows hackers to send commands to a computer without having admin status, letting them plant malicious software within systems.

Q. Could it be used to steal my financial details?

A. Yes. If banks or online retailers use older, “mainframe”-style computing systems, they are likely vulnerable. Home routers and modems could also be targeted as a way to get to PCs and laptops.

Q. Are there any indications it has already been exploited?

A. It’s too early to tell. However, authorities fear a deluge of attacks could soon emerge. The US government has rated the security flaw 10 out of 10 for severity.

Q. What can be done to solve it?

A. Security experts around the world are now rushing to find a fix for the bug, but the widespread and varied use of Bash means there won’t be a single solution. Individual organisations and companies such as Apple will develop patches for their own systems. 

Q. What can I do to protect against it?

A. Experts recommend not using credit cards or disclosing personal information online for the next few days. Usual precautions are also recommended such as updating anti-virus software and not visiting dodgy websites.