TECH

'Bash' Security Bug (AKA 'Shellshock') Could Devastate The Web For Years

25/09/2014 11:37 BST | Updated 25/09/2014 14:59 BST

Remember Heartbleed? The security bug at the heart of the internet which made it possible for hackers to steal virtually any data from millions of websites at will, undetected, for two years?

Yeah, that's happened again.

This time the bug is called 'Shellshock', or just 'Bash', and experts are suggesting it could be even more devastating.

The bug affects Linux, Unix and Mac OS X, and is said to be more difficult to exploit than Heartbleed, which undermined key security tech at the heart of the web.

It's named Bash after the command interpreter (or “shell”) which is present in most Unix systems, including Mac OS X.

The vulnerability gives hackers a new route into Bash, and would allow an attacker to control most elements of the OS and software running on it.

It would allow attackers to circumvent the protection built into apps, and run any code they choose on the computer.

Toyin Adelakun, VP of products at Sestus, explained:

"The risks are of attackers executing arbitrary code on Unix systems, or illicitly modifying, adding or deleting data on such systems. To mitigate those risks, the urgent advice is to immediately patch or update the bash software. That applies both to servers as well as clients (i.e. individuals’ systems) such as Apple MacBooks and Mac Pro desktop computers. Because they affect both client and server computers, and because they could lead to data leakage directly from computers, these risks do indeed potentially surpass those of the Heartbleed bug."

But while Bash is complex, it is also unpredictable.

Robert Horton, managing director of NCC Group’s European security consulting division, said that it holds "wide impacting ramifications".

"It is basically a vulnerability of which the full impact is currently hard to determine, but the ramifications are likely to be significant as it will definitely introduce some subtle bugs.

"It has the potential to be pretty severe in systems which use the older CGI standard and it has the capacity to be remotely exploitable. This standard cuts across platforms and thus potentially holds wide impacting ramifications. However, it is neither as media friendly or universally exploitable as the recent Heartbleed bug.

"People will find plenty of unexpected ways to trigger this vulnerability and that means its scope will be wider then appreciated, and this might have a detrimental impact."

Other experts agreed, describing it as "bigger than Heartbleed".

Fortunately - or perhaps unfortunately - for individual users of the web the advice remains the same: use different passwords for everything, change them often, and don't type your password anywhere you aren't sure is secure.