Shellshock: What you need to know about the bug
Coding flaw in software can allow hackers to take control of computer
Cybersecurity experts are raising the alarm about a new vulnerability in a piece of widely-used software.
Shellshock is a coding flaw in the Bash software application that leaves a computer vulnerable to attack. Hackers can exploit the flaw using worms or other hacking methods to take full control of a computer to destroy data, shut down networks or launch attacks on websites.
The discovery of the vulnerability, which follows closely on the tail of the Heartbleed bug, has left many wondering how such a thing could happen and what they can do to protect themselves.
CBC Radio's Calgary Eyeopener spoke with Dana Di Tomaso, who is a partner with the digital marketing firm Kick Point.
Di Tomaso has experience with web development and system design, and is a technology columnist with CBC Radio's Edmonton AM.
How does Shellshock work?
The issue is with the Bash software, Di Tomaso said.
"[Bash] is used to give commands to a Linux system, which is one of the main servers that runs the internet," she said.
"The issue is that normally a human, or another machine, will give Bash commands and then Bash will let the servers do things. The problem is there's a programming flaw that lets users tack additional code in after you send it a command, and that could give you access to the entire system."
Essentially, the problem can be likened to someone leaving a door open in the program, she said.
Will this affect you?
The only home computer systems affected by this flaw run Apple's OSX Mavericks, according to Di Tomaso.
However, Apple released a statement overnight saying only users who have configured advanced Unix services on their computers — and that's not something the average person does accidentally, she said.
That means most home computer users are not affected in terms of their systems, but could be at risk if their passwords are stored on a server that becomes compromised.
If a home user has the same password for email and other computer applications, access to that password could allow a hacker to take control of their device, Di Tomaso says.
Why 'Shellshock' and how is it different than Heartbleed?
The vulnerability is so-named because Bash is part of what's known as the "shell" of a computer, she said.
The flaw has been around for almost nine years now but the shock at its discovery — and that no one had found it before now — has led to it being called Shellshock.
While many might remember the Heartbleed bug from April, Di Tomaso said Shellshock is very different.
With Heartbleed, anyone using an affected server could be compromised. With Shellshock, not all computers running the affected software could be exploited.
Despite that, security experts say Shellshock could inflict greater damage than Heartbleed, which only allowed hackers to steal data.
"I think it's more dangerous in the sense that if someone does manage to take over a server, all the information on that server is completely open to them," said Di Tomaso.
It's not clear yet how many computers are vulnerable.
What can you do?
While there's not a lot that can be done at the moment, Di Tomaso says developers are working to come up with a patch that would fix the coding problem in the Bash software.
"Apple is going to put out a patch," she said. "So make sure to install that as soon as it's available. "
Apart from that, staying safe really comes down to the personal responsibility to follow basic internet rules, she said.
"Please use different passwords for different services," said Di Tomaso.
To avoid having to remember all your passwords, she suggests people consider using a password locker such as Last Pass or One Password.
They work by saving all of your passwords in a database, which you can access using one master password. That master password is then the only one you need to remember.
"It's like knowing the combination lock on your locker," she said, stressing problems like Shellshock and Heartbleed aren't going to go away any time soon.
"As long as there are humans programming, there are going to be bugs. One of the issues with programming is it could be something like an errant comma and it screws everything up," she said.
"You just need to be aware of what's going on with the computer systems that you use and then when security updates come out, don't ignore them."