Earlier this year, major companies such as Ebay, Amazon and Facebook implored their users to change all of their passwords, due to a security flaw which was known as ‘Heartbleed’. While this was at the time one of the largest security flaws to be discovered in terms of number of people affected, the tech world moves very quickly. An even worse bug called ‘Shell Shock’ has now been revealed in the last 24 hours, which puts almost the entire internet at risk of attack.
But how does it work?
Computer systems in the modern age are built generally in a series of layers. Old software is used as the building blocks of new software, and is often incorporated by default into massively larger programs. If an exploit exists within a newer part of any given software, it is generally only localised in its impact, as very few computers contain this piece of code. However, as is the case with the latest Shell Shock exploit, if a vulnerability is found in an old piece of code in wide use, almost everyone becomes vulnerable.
The problem at the core of the Shell Shock exploit is located within the Bash shell used as one of the rudimentary layers of computing on so-called Unix-based operating systems. These operating systems, which include OSX and Linux comprise almost all web servers around the globe, and are thus vulnerable to this exploit. Should these systems be targeted, an attacker could theoretically use this exploit in order to execute remote commands on a server.
4 out of every 5 websites are threatened by the Shell Shock exploit
These commands could be used to carry out procedures such as installing backdoors within servers, siphoning off information, remotely triggering shutdowns, or even commanding them to delete all their data. What makes this especially bad, is that Unix-based web servers make up over 80% of all web hosting services, meaning that more than 4 out of every 5 websites are threatened by the exploit. Worse still, security researchers have revealed that this bug is already being used by enterprising criminals to carry out remote attacks.
Currently, it remains to be seen if this attack will end up causing a greater impact than the earlier Heartbleed bug. While large companies such as Google or Amazon would have people working already to patch this bug, given the huge number and wide variety of systems using Unix, less well maintained devices could remain vulnerable for a very long time indeed. Only time will tell the true impact of Shell Shock…
Cool Ad Here