Meet Bash: the new bug that’s apparently worse than Heartbleed

Just when we thought it was all over, there’s a new bug in virtual town, and it’s called Bash bug.

A few months ago the web was up in arms about security concerns regarding the notorious Heartbleed bug. The encryption bug put OpenSSL under compromise which means that a lot of websites were forced to restructure their security in order to protect sensitive user information.

The security flaw is said to be inherent to computers’ shell which is the user interface to access operating system’s services like Command Prompt. This means that both PCs and Macs are vulnerable.

A blog post by Robert Graham from the research firm Erreta Security suggests that, similar to Heartbleed, Bash bug (also carrying the alias Shellshock) is dangerous because it “interacts with software in a number of different ways” and that an “enormous percentage of software interacts with the shell in some fashion.” He also tweeted that it’s potentially worse than Heartbleed:

This 'bash' bug is probably a bigger deal than Heartbleed, btw.

— Robert Graham (@ErrataRob) September 24, 2014

Graham suggests that while modern web servers and the like will likely get patched, out-dated systems might not:

“Internet of things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.”

Graham does reassure us saying that while your primary servers are likely not affected by Bash bug, everything else probably is. “Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can’t be patched, you are likely screwed.”