Shellshock Bug May Be Even Bigger Than Heartbleed: What You Need to Know

How did this 22-year-old vulnerability go undiscovered for so long?

ByABC News
September 26, 2014, 1:18 PM
A new bug called "Shellshock" may potentially leave millions of computers vulnerable to attacks.
A new bug called "Shellshock" may potentially leave millions of computers vulnerable to attacks.
Getty Images

— -- Cyber security experts are sounding the alarm that the Shellshock bug, a 22-year-old flaw in the code of a commonly used software, could be used by hackers to take over millions on computers.

Shellshock is so alarming that some cyber security experts have called it "worse than Heartbleed," the open source flaw that left passwords vulnerable to hackers earlier this year.

Here's why: Heartbleed left private information, such as passwords and credit card numbers, vulnerable. Shellshock has the ability to take over an entire device, experts say.

Assessing the Damage From Heartbleed

What the Heartbleed Bug Looks Like to Hackers

How to Protect Your Computer From A Virus

The bug was traced to an open source piece of software called Bash, which is short for Bourne Again Shell. Since its creation in the 1987, Bash has been built into many popular operating systems that companies have continued to built upon to this day. It's so prevalent that some estimates report the software runs on at least half of all devices that connect to the Internet.

"It's worse than Heartbleed in that it affects servers that help manage huge volumes of Internet traffic," Darien Kindlund of the cyber security firm FireEye wrote in a blog post. "Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting web pages."

Shellshock could also affect the "Internet of Things," meaning any smart home appliances that run on the affected software are open to attack.

However, software company Red Hat noted that while "it's certainly plausible that some devices may be affected by this flaw, it won't be very common."

If this is the first time you've heard of Bash, you're not alone. The software allows system administrators to issue operating system commands.

The flaw was discovered by open source developer Stephane Chazelas. He contacted Chet Ramey, the Ohio man who has maintained the software for the past 22 years as a hobby, to notify him of the flaw, according to the New York Times.

The two men then worked with a group of open-source security experts and were able to create a patch within hours, the Times reported. Then came the tough part: They quietly contacted software makers while trying to make sure they did not tip off hackers to the vulnerability.

An alert from the National Institute of Standards and Technology rated Shellshock a 10 out of 10 in terms of severity and also noted that the flaw is relatively easy for hackers to exploit, however it was unclear what damage, if any, Shellshock has caused.

While users were able to evade Heartbleed by changing their passwords, it seems there is little that typical users can do to ward off Shellshock. The United States Computer Emergency Readiness Team issued a link on Wednesday to a patch, which system administrators are being urged to implement.

As for the typical user: Being cyber security savvy now can save you from a potential problem in the future. Experts recommend using unique passwords for every account and only entering payment information on secure websites.