Only months after news of the Heartbleed bug’s existence, a new Linux security vulnerability known as the Bash bug could potentially be more widespread and unfixable than Heartbleed.
The bug, which is more than 25 years old, exists within the Linux operating system in a utility known as the Bash shell, which is found on most Linux systems.
If exploited, the bug could have serious ramifications for companies with a significant digital presence.
In a post explaining the bug on Red Hat’s blog, many websites use the Bash shell to run in the background to run scripts and limited command execution within the operation, but with the introduction of a line of malicious software, the harmful code can worm its way through PCs and Macs and take over a company’s or individual’s operating system.
The security dangers and vulnerability of people’s personal and company information is obvious, but according to CNet and Robert Graham of Errata Security, this bug arguably makes it ‘bigger than Heartbleed’, simply because of the prevalence of the shell across the tech world.
So Bash shellshock is being heavily exploited. Patchy your servers fast please please please. https://t.co/nSyfKQMle3
— Robert Graham (@ErrataRob) September 25, 2014
For most software, ‘you’re likely screwed’
The Bash shell is so widely used that an attempt to catalogue every single piece of software containing the bug is simply too big to handle, particularly with older devices.
However, there is some minor respite for companies, as Graham says most primary servers will be largely unaffected, but companies need to undertake a thorough check on every other piece of software.
“There’s little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug.
This is the only piece of good news, as Graham elaborates further: “However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache.
“Anything that responds is probably an old device needing a bash patch. And, since most of them can’t be patched, you are likely screwed.”
Linux code image via Shutterstock