And we thought the Heartbleed bug was bad! Shellshock is in all Linux systems that utilise Bash, for those who don’t know, that’s pretty much all of them. What uses Linux? Well for starters, estimates put nearly 70% of all web sites on the internet as being hosted on Linux. What can you do with this hack? Take over the system.
The Heartbleed bug that shocked us all a few months ago seems almost tame in comparison to this. With that, hackers could sniff anything a site may have encrypted during transit. Heartbleed allows you to see passwords, phone numbers, even credit cards, as long as they’re in an armoured vehicle. With Shellshock, you can just walk in the house door and play with the children.
The issue comes from Bash, a system that is much like the command prompt on Windows, pretty much every version of Linux uses it, even your friendly neighbourhood Geek Scot was affected. The problem is that you can run bash commands at the end of other commands on Linux. Now lets imagine your server has remote access available on it, so that you can make changes without having to sit in front of the machine. You’d have a password for it of course, clever folks would even use a private key system to make it especially difficult to use. The issue is that if you can just stick some Bash script on the end to run, regardless of a correct password, what does it matter? You’re in and can start changing and reading anything you want. You could even change the code on a site to email you all credit card numbers directly, or if it’s not a merchant site, no problem, you could update someone’s lol cat website to start downloading viruses onto their machines, write fake press releases from corporate sites, whatever you want, the door is wide open.
The issue brings to light the way these open source platforms are maintained. Heartbleed could have been fixed so much earlier, if more people volunteered support to maintain the projects affected by it. Chet Ramey, is the only man who has committed himself to maintaining Bash, some people may be angry with him for letting this slip but that would be unfair, he is one man, we can’t expect him to catch everything. The fact is, millions of people use Bash, sometimes on critical systems, we’re not just talking websites now, it’s on hospital equipment, military systems, it’s on everything. So why were we so eager to use it but no one put forward the extra support needed to maintain Bash? Chet shouldn’t be on his own, he needs support. Hopefully this, the second recent lesson in lack of support for these critical pieces of software that we all use, will see not just a surge of support given to Bash but also a revision of every open source system we’re all using, making sure no small team has too much responsibility. Let’s make sure the responsibility is shared. Shellshock is as bad as it gets, until we find something worse.