A major flaw in a piece of open source code that affects Mac OS X and Linux users has cybersecurity professionals scrambling to identify and patch vulnerable machines -- but embedded devices making up the so-called "Internet of Things" could be among the worst hit by the bug.
Dubbed "Shellshock" by some members of the IT security community, the issue affects "bash" -- an open source code used in Unix-based systems used since the 1980s. Bash is a type of shell code for user commands, meaning it serves as a sort of direct route to controlling systems that is built in at the operating system level.
The National Institute of Standards and Technology's National Vulnerability Database scored the vulnerability as a "10," on a scale from one to 1o, on both impacts and exploitability. US-CERT also issued an advisory, saying "exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system."
"A significant part of the Internet is running a Linux or UNIX-based version of operating system that includes the bash shell," explains Bogdan Botezatu, senior E-threat analyst at cybersecurity vendor BitDefender. "These UNIX-based web servers often run CGI scripts that rely on bash for functionality, therefore any attack against these scripts could result in exploitation and, subsequently, could allow a hacker to remotely own the machine."
A half billion web servers and other Internet-connected devices including mobile phones, routers, medical devices, could be impacted by the bug, according to cybersecurity firm Trend Micro. Experts say the issue could be a bigger deal than Heartbleed, a vulnerability discovered in a widely used open source encryption library earlier this year, in some ways. "One of the big differences between this and Heartbleed is that you get to totally control the computer you manage to exploit because the bug is at the operating system level," says Tod Beardsley, engineering security manager with cybersecurity firm Rapid7, whereas Heartbleed could only be used to steal information.
Major Linux distributors have already pushed out patches -- but some appear to be stopgap fixes that do not completely resolve the problem. In a comment on Red Hat Linux's initial fix, security engineer Huzaifa Sidhpurwal said that the organization had "become aware that the patches shipped for this issue are incomplete," saying that attackers could still exploit the vulnerability under certain circumstances.
Web servers, which often run Linux, may be among the most obvious targets at risk. But Internet connected devices may ultimately be the most difficult fix. Much of the software embedded in those devices makes use of "web-enabled bash scripts," security researcher Rob Graham explained on his blog. That puts those Internet connected devices -- ranging from your wireless router to security cameras or appliances -- at risk, particularly if they have web-based interfaces, says Beardsley. And yet, he says, "there's almost never an automatic update, and sometimes not even manual update, procedures."
The result? "For the devices most likely to be affected, there isn't a good patching infrastructure in place to fix it," he says.
"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time," wrote Graham. "That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed."
But it's hard to know just how pervasive the problem may because it is so deeply embedded in systems. "The real scale of the problem is not yet clear," says David Jacoby, Senior Security Researcher at Kaspersky Lab. "It’s almost certain that hackers and security researchers are testing web services and Linux software right now and the results of these tests will probably be published in the coming days."
But the process is time-consuming, says Beardsley. "You can't really scan for it like you could for Heartbleed, and although you can test for it."
Graham initial research appears to suggest that the bug is wormable -- meaning it can be exploited to self-replicate itself in the wild. And Botezatu says his company has already noticed attacks against web servers using the vulnerability today. "They are very easy to implement and carry out."
"In short, this is potentially a 'plague-like' vulnerability that can exploit command access to Linux-based systems constituting approximately 51 percent of web servers in the world," according Christopher Budd, Trend Micro global threat communications manager. "Because of the pervasiveness, attacks against it could 'grow' at a very fast pace."
While both Heartbleed and the Shellshock bug were discovered in open source software, Beardsley thinks their discovery is actually a sign that the open source model is maturing. "We're hitting this era where open source is finally delivering on its promise: There are a lot of eyeballs and they are discovering problems."
Have more to say about this topic? We take your questions every week in our weekly livechat, Switchback, Fridays at 11 a.m. ET. The comment box is open, so submit your questions now.