A newly discovered bug in Linux and OS X exposes another major cyber security flaw that went undiscovered for years.
Red Hat, a distributer of enterprise-level Linux applications, revealed in its corporate blog yesterday that it discovered a major security hole in some Unix-based systems like Linux and Mac OS X. The bug, known as “Shellshock,” is an exploit in the Bash operation allows attackers to remotely execute commands on computer systems. The vulnerability gives attackers the ability to run malicious programs on computer systems such as routers, medical devices, smart appliances, web applications and more. The vulnerability doesn’t require a username or password to execute commands, making systems even with high-level security susceptible to exploitation.
While the vulnerability affects less systems than Heartbleed, the danger in the glitch comes from how much control it gives a potential attacker over a system. While Heartbleed presented a leak in confidential and encrypted data, the exploit in Bash gives an attacker a mode to effectively take over a system.
The exploit also allows attackers to execute commands on affected systems with relative ease, which opens the door for attackers with little experience to exploit systems remotely with potentially devastating consequences. The vulnerability has likely been present in Enterprise-level Linux operating systems dating back several years, leading to high proliferation of the exploit in many systems.
Like Heartbleed, the existence of the glitch for several years makes it difficult to determine what if any exploitation of Shellshock has already occurred. At least one instance of Shellshock being used has been spotted online, but the potential exists that attackers used the vulnerability undetected for years.
While Shellshock may be dangerous because of the potential for how much of a system it can affect, there’s still plenty of factors that may negate the impact of the glitch. Jen Ellis of the security firm Rapid7 said in a company posting that exploitation via Bash requires a perfect storm of circumstances for attackers to take advantage of the bug.
“The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue,” Ellis said. “This bug is going to affect an unknowable number of products and systems, but the conditions to exploit it are fairly uncommon for remote exploitation.”
Manufacturers of affected devices are expected to release patches addressing the issue in the coming weeks. For personal computers, the largest pool of vulnerable users comes from Mac users. Computers running OS X can test for vulnerabilities in the Terminal program; many users reported seeing the vulnerability in Yosemite, Mavericks and other versions of OS X.
Correction: The article previously identified Red Hat as the maker of Linux rather than as a distributor of enterprise-level Linux applications.