How the ‘Bash bug’ threatens Mac and Linux users
By Angela Espinoza, News Editor
The Shellshock virus, also known as Bash bug, came into public knowledge on September 24. The virus specifically targets Mac and Linux devices, and allows hackers to access personal information and programs on the infected device.
The nickname Bash bug comes from the Bash Unix shell, which has been around since 1989 and is used in devices ranging from OS X programs to smartphones. Bash is common amongst various pieces of hardware due to the shell being open source, or freeware. The bug was found by Akamai Technologies researcher Stéphane Chazelas on September 12; announcement of the bug was delayed until some security measures could be offered.
Shellshock is the second widespread threat to the Internet this year, following Heartbleed back in April. However, Heartbleed was a security-specific bug that allowed passwords and information to thousands of accounts and websites to be easily accessed via open source software OpenSSL. Shellshock can be considered worse than Heartbleed in that it is the entire device that is being hacked, not just one account.
The bug has actually been active since 1992, and could have been taken advantage of anytime between then and now. Chazelas’ discovery increases the likelihood of Shellshock affecting devices, but also raises users’ awareness of how their devices are vulnerable.
Patches for specific devices are already available to help protect users from Shellshock, but as weaknesses have already been found in those patches, it’s heavily encouraged for people check on their various accounts (social media, bank information, etc.) and either change their passwords regularly or come up with difficult passwords. Monitoring your information and what’s available on your respective Linux, Mac, or Android devices is necessary.
But as discovery of the bug is still recent, there’s not a clear scope of Shellshock’s potential damage. Chief research officer of Rapid7 H.D. Moore told CBCvia email, “At this point we don’t know what we don’t know, but we do expect to see additional exploit vectors surface as vendors and researchers start the assessment process for their products and services. We are likely to see compromises as a result of this issue for years to come.”
Security measures to combat Shellshock are actively being developed, but there is currently no “end all” fix to the bug. Also of note is that these bugs neither disappear nor are they forgotten about once time has passed. Heartbleed is still roaming around, and had been for several years prior to its discovery, and Shellshock will very likely do the same.
