Is The Bash Bug Bigger than Heartbleed?

What is the Bash Bug?• Bash Bug is the newest security flaw, also known as Shellshock bug.

• It is the current big vulnerability that is threatening the tech industry.

• The bug could be a potential disaster for major digital firms, small-scale Internet hosts, and even Web-connected devices.

• The quarter-century-old security bug allows the executin of malicious code found in the bash shell to compromise an operating system and access sensitive data.

• The bug commonly accesses a system via the Command Prompt on personal computer or Terminal Application of Mac.

• Apple is yet to release a security patch for the same. However according to an Apple spokesperson, the firm is addressing the problem, and will soon be releasing a patch.

Who Should be the Most Worried?• Web admins will be the most affected of the lot followed by consumers.

• Since Web-based services are for the consumers, a compromised server can send a malware to the consumer.

• In simple words, an infected website can upload a virus onto a user's system.

• Cyber criminals who attacked the server could install a malicious app on the Web server and use it to siphon sensitive data from those visiting the site.

• For example, hackers could install a malware on an e-commerce website and steal the credit/debit card information.

• Unfortunately for shoppers, there is no way to identify the affected websites.

What do Security Experts Say?• According to the North Carolina-based software firm Red Hat, programs running

Bash shell in the background is a common activity.

• The flaw is triggered when an extra code is added within the Bash code lines.

• Owner of Errata Security Robert Graham warned that the Bash flaw is much bigger than Heartbleed bug.

• Owing to its unexpected ways of interaction with other software apps and the enormous software percentage interacting with the shell, the bash bug is bigger flaw of recent times.

• Further it is difficult to catalog all the software vulnerable to the Bash flaw, added Graham.

• The problem is with unknown systems that remain unpatched, while known systems (for example, Web server) are patched.

• In fact six months after the Heartbleed attack, thousands of system still remain vulnerable to security flaws.

• Technology and news information site Ars Technica reported that the bug could impact Linux and Unix devices , and hardware-runnung Mac OS X.

• The report also stated that Mac OS X Mavericks is a vulnerable version of Bash flaw.

• The Bash bug could be a potential threat to connected Internet-of-things (IoT) devices. Examples include heart monitoring implants, smart thermostat systems, and automobiles with built-in sensors to name a few.

• Since the software of these IoT devices are built using Bash scripts that are less likely to be patched, expose the flaw to the outside world, warned Graham.

• The fact is the bug has been around for a very long time that could mean many older devices will be vulnerable.

• Compared to the Heartbleed, the number of systems that need patching are larger.

• In April 2014, the Heartbleed flaw was deployed into OpenSSL more than couple of years ago.

• The major security bug allowed hackers to retrieve random bits of memory from affected servers. The flaw was called 'catastrophic' by U.S.-based cyptographer Bruce Schneier.

Why Patch the Shell?• Rapid7's engineering manager Tod Beardsley warned though the flaw is of low

complexity, the wide range of devices impacted need that system admins apply patches immediately.

• The flaw is indeed a very big deal, considering that it scored 10 for severity (maximum impact) and low for exploitation complexity (very easy for hackers to use it).

• The impacted software Bash is widely used so that hackers can make use of this flaw to remotely carry out a host of servers and devices.

• Using this bug, hackers can take control over an operating system, gain access to senstive information, and modify or change.

• Businesses and individuals using systems with Bash need to patch them immediately.

What Can be Done?• A through scan of the Internet was performed to test for the flaw by Robert

Graham.

• His findings revealed that the Bash bug is capable of easily passing through Firewalls and affect many systems.

• This could potentially spell doom for big networks. Both Graham and Beardsley agreed that the issue needed immediate attention.

• Scanning the network for FTP, older versions of Apache server, and Telnet is one way to avoid the bug.

• Any device that responds is more likely an old system requiring a Bash patch. Since, most of them cannot be patched, the tech industry is screwed big time.

• The issue is some firms either lack the resources to update their servers or worried their systems would be too fragile to handle the patch.

For more information about Heartbleed. Click https://blog.whichssl.com/2014/07/overcome-heartbleed-vulnerability-ssl/