Q&A: Experts warn of Bash Bug, what are the risks? (Update)

September 25, 2014 by Barbara Ortutay
In this Feb. 22, 2010 file photo, a student uses an Apple MacBook laptop in his class in Palo Alto, Calif. New warnings are emerging of a security flaw known as the "Bash" bug, which cyber experts say may pose a serious threat to computers and other devices using Unix-based operating systems such as Linux and Mac OS X. (AP Photo/Paul Sakuma, File)

Internet security experts are warning that a new programming flaw known as the "Bash Bug" may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

___

Q. What is the Bash Bug, and why is it a big deal?

A. The bug, also known as "Shellshock," is in a commonly used piece of system software called Bash. Bash has been around since 1989 and is used on a variety of Unix-based systems, including Linux and Mac OS X.

Devices that use Unix in some form include many servers, routers, Android phones, Mac computers, medical devices and even the computers that create bitcoins. Systems running power plants and municipal water systems could also be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet to avoid opening them to such risks.

Bash is a command shell—"the thing you use to tell your computer what you want it to do," explains Christopher Budd, global threat communications manager at security firm Trend Micro. Thus, exploiting a security hole in Bash means telling your computer, or other systems, what to do.

___

Q. Why are people saying it's worse than "Heartbleed," the flaw that exploited security technology used by hundreds of thousands of websites?

A. While Heartbleed exposed passwords and other sensitive data to hackers, Bash Bug lets outsiders take control of the affected device to install programs or run commands.

On the other hand, Bash Bug might be harder to exploit. Heartbleed affected any system running OpenSSL, a common Web encryption technology. With Bash Bug, your system actually has to be using Bash, Budd said. There are multiple types of command shells, so even if Bash is installed, the system could actually be using a different one.

___

Q. It's been a quarter century since Bash came out, so why is the bug a threat now?

A. That's because someone—Stephane Chazelas of Akamai Technologies Inc. to be specific—just found it.

Heartbleed was around for more than two years before it was discovered.

___

Q. Should you be worried?

A. For now, the Bash Bug appears to be more of a potential nuisance than a major threat.

It's a more vexing problem for Mac owners. The Bash Bug makes it easy for hackers to take control of a Mac running on a public Wi-Fi network, such as one in a coffee shop or airport, said Chris Wysopal, chief technology officer of computer security firm Veracode.

At home, a hacker who takes control of an Internet router could consume so much bandwidth for online mischief that the owner gets hit with a huge bill from service providers that impose monthly data caps, said Dave Lewis, Akamai Technologies' global security advocate.

Another possible security problem: A hacker who seizes control of a vulnerable Web server might collect online passwords stored in databases, said Joe Siegrist, CEO of LastPass, a service that stores and protects passwords. The threat doesn't appear to be as high as with Heartbleed, however.

The Bash Bug could cause massive damage if it's used to create an Internet "worm"—lines of malicious computer coding that wiggle from one vulnerable server to the next. A worm that reaches pandemic proportions could bog down the Internet and even render some services inaccessible. At this point, a worm feeding on the Bash Bug looms as a theoretical threat.

___

Q. What can you do about it?

A. Everyday users can't do much right now, except to wait for manufacturers to release fixes for their products. Budd recommends applying the patches for routers, Macs and other devices as they come out.

Even if a fix is developed, getting it could be another matter. Budd expects that to be an issue with Android phones, because their manufacturers and carriers are often slow to push out the system updates that Google provides.

Of course, it always helps to run up-to-date security software on your devices.

___

Q. Should these recurring security breakdowns cause people to reassess society's ever-increasing dependence on the Internet?

A. Probably, given that the revelations about Bash Bug and Heartbleed surfaced within six months of each other. What's especially troubling about Bash Bug is that it's been hiding in plain sight for the past two decades, even as millions of more machines came online to widen the threat.

Furthermore, these risks are likely to escalate as people store more documents, photos, videos and even medical records over the Internet. At the same time, technology is expected to make it possible to plug just about everything imaginable into the Internet, be it coffee machines or automobiles.

We'll just have to live with technological risks. As Lewis noted, "We are already too far down the road to take a step back."

Explore further: 'Bash' computer bug could hit millions (Update)

Related Stories

'Bash' computer bug could hit millions (Update)

September 25, 2014

The US government and technology experts warned Thursday of a vulnerability in some computer-operating systems, including Apple's Mac OS, which could allow widespread and serious attacks by hackers.

Three things to do to protect from Heartbleed

April 11, 2014

The "Heartbleed" bug has caused anxiety for people and businesses. Now, it appears that the computer bug is affecting not just websites, but also networking equipment including routers, switches and firewalls.

What you need to know about the Heartbleed bug

April 9, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Heartbleed could harm a variety of systems

April 11, 2014

It now appears that the "Heartbleed" security problem affects not just websites, but also the networking equipment that connects homes and businesses to the Internet.

Recommended for you

Galactic center visualization delivers star power

March 21, 2019

Want to take a trip to the center of the Milky Way? Check out a new immersive, ultra-high-definition visualization. This 360-movie offers an unparalleled opportunity to look around the center of the galaxy, from the vantage ...

Physicists reveal why matter dominates universe

March 21, 2019

Physicists in the College of Arts and Sciences at Syracuse University have confirmed that matter and antimatter decay differently for elementary particles containing charmed quarks.

4 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Eikka
not rated yet Sep 26, 2014
In all likelyhood, the bug was known to malicious entities well before this discovery.

The source code to Bash is public for everyone to see, and it's such a major component in Unix systems that you bet NSA or the Chinese, or some online criminal group has spent the last two decades poking holes in it and not telling anyone else.

Also, again a demonstration of why it's bad to put Linux on your embedded devices that are supposed to connect to the internet. You can't patch the software remotely without messing up your customers' setups, and the users don't know how to or can't do it themselves, so you're left with billions of vulnerable devices - or product recalls.

Skepticus
not rated yet Sep 26, 2014
I have to question the mentalities and the intentions of the programmers. Every major "bug" discovered lately has been worse than the last.
kochevnik
not rated yet Sep 26, 2014
FreeBSD has an alert system and many other distributions have as well. Bash is a feature shell that shouldn't be used for high-security systems. There are hundreds of shells and many use a tighter security model. Ultimately it's a lazy approach on the part of system developers who want more privileges and risky behavior than they actually need for the task. Bash has a restricted mode which might also thwart the security hole, but it's the administrators job to employ it. Lazy administrators and developers will open many vulnerabilities more far-reaching than this exploit
kochevnik
not rated yet Sep 26, 2014
I have to question the mentalities and the intentions of the programmers. Every major "bug" discovered lately has been worse than the last.
Programmers included a bash restricted mode. Vendors refused to employ tight security. Ultimately it is the middle people who open the holes. Programmers and end-users have a vested interest whereas admins can usually pass the blame to either endpoint

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.