Image: Mashable composite. Bob Al-Greene/Mashable, Andrey Frolov/Getty Creative/Associated Press
By Samantha Murphy Kelly2014-09-25 16:34:48 UTC

A new vulnerability called Shellshock — also called the “Bash Bug” — is affecting both Linux computers and Macs, and it has the potential to let attackers take control of your computer as well as gain access to data and services in the cloud.

Shellshock could pose an even greater threat than Heartbleed, another large-scale vulnerability that affected many popular websites and services (including Gmail and Facebook). Although the full impact is still unknown, Heartbleed could have quietly exposed your sensitive account information (such as passwords and credit card numbers) sometime in the past two years.

While Heartbleed’s vulnerability was related to OpenSSL — an open-source set of libraries for encrypting online services, which could allow hackers to extract information from systems — Shellshock is arguably worse since it could let cybercriminals fully take over servers and individual machines.

This would give them access to databases, files and source code, and let them delete or change data, too. While a hacker might leave files behind in the process that could tip off a company that something was modified, it’s possible that it can be cleanly done so it’s much more difficult to know if a system was exploited.

Unfortunately, there’s no real quick fix right now for computer users: you can’t just change your passwords like with what happened with Heartbleed — at least not until affected systems are patched. Those patches are already being distributed to many systems, experts say.


A test performed on a Bash shell on a new MacBook Air revealed the computer is vulnerable to the newly discovered Bash Bug.

Image: Stan Schroeder, Mashable

We believe this is bigger than Heartbleed, though the responsibility is on web server administrators and those managing computer systems to update with the proper patches,” Amber Gott, a spokesperson for password security firm LastPass, told Mashable. “Once the bug is fixed and systems are updated, it’s only then that consumers should take action to change their passwords — they should practice good security habits as soon as possible and get started with a password manager, too.”

“At the moment, though, consumers should just sit tight,” she said. “They should wait to hopefully see action from the companies and services they use.”

Hackers are already trying to exploit the vulnerability and have even come after LastPass.

“Shellshock is being actively exploited — we’ve seeing attempts against us (without success) and seen reports of other companies also seeing it exploited (like CloudFlare),” she said. “Those companies that are not as proactive are at huge risk and may have already been exploited.”

The reason why Shellshock could be potentially worse than Heartbleed is that attackers can make things run on a server and get access to anything on it. “The exploits could be worse in terms of the actions that can be taken and the data at risk, with worse consequences than Heartbleed,” Gott said.

Kasper Lindegaard, head of vulnerability intelligence specialist at security firm Secunia, said computer companies need to quickly issue a patch in order to stop the worse that could happen.

We already know Apple OS X is affected, but Apple needs to provide a patch first as soon as possible to protect its users,” Johnson said.

“The same goes for businesses,” said Johnson, adding that there are a few patches already released but none that are truly effective. “Some patches at this stage are proving to be ineffective, so it’s possible you might have to go back and patch the same systems more than once. In the cases, it’s possible that users can change and use a different shell than Bash, as a temporary workaround.”

Linux and Mac users can patch their machines individually, but doing so is likely above the heads of laypeople: you’ll have to go into the command line of the machine and fix the issue from there. Mashable does not recommend anyone attempt to apply the patch themselves unless you really know what you’re doing. If you don’t, you’re more likely to render your machine unusable than patched.

Most machines will need to be patched by IT administrators and, in the case of affected Macs, Apple. For the majority of users, that leaves just one option: wait.

Mashable will be updating this story with more information about available patches as they come in.

Have something to add to this story? Share it in the comments.