What You Need to Know About the Bash Software Bug

USA

It could make Heartbleed look more like a Heart-scrape.

The Bash software bug, which could affect more than half of all web servers, is being called the most serious cybersecurity threat every by some security experts.

“The outright contagion capacity is very real,” said Trend Micro Chief Cybersecurity Office Tom Kellermann. “I likened it to Ebola having reached U.S. airports, and us being in the dark about how it’s spreading in the U.S.”

Over 500 million servers could be affected by the Bash bug, said Kellermann. Meanwhile Heartbleed, which was discovered in April, was estimated to affect just 500,000 sites.

Here, FOXBusiness.com breaks down some of the most important questions surrounding the Bash vulnerability:

1. Who’s affected?

“The bug is part of the Unix operating system, called Bash. Unix is very old, and this component was written about 20 years ago,” said Veracode Chief Security Officer Chris Wysopol. Linux, a highly popular operating system, is similar to Unix and is also affected.

Wysopol estimates that as much as 70% of all Internet-enabled machines are running Unix or Linux, including many web servers, PCs, routers and even some Internet-of-Things devices.

Most corporations are likely running affected operating systems, said the security experts, making this a five-alarm priority. On the individual side, experts noted that while Apple’s OSX operating system is susceptible, Apple’s vulnerability was rather limited.  Android users, however, are highly at-risk, said Kellermann.

2. What could hackers do using Bash?

Researchers have deemed the Bash bug a 10 out of 10 in terms of severity, said Wysopol. “It’s in the worst category – remote command execution,” said Wysopol. Essentially, hackers can use the bug to take over a given machine. From there, they can steal data, alter data or turn the machine off.

Hackers can also turn machines into what’s called a “botnet” – a collection of connected machines. Botnets are commonly used to execute distributed denial-of-service attacks (DDoS), where hackers direct so much traffic to a target that it ends up shutting down service. Banks including Bank of America and JP Morgan Chase have suffered from DDoS attacks in the past. Kaspersky Lab’s Senior Security Researcher Roel Schouwenberg said his security firm has already seen botnets established using the Bash bug.

Kellermann warned that the bug could also turn some sites into “watering holes.” In these cases, visitors to infected sites would in turn become affected with malicious code – increasing the severity of this bug.

3. How can it be fixed?

Companies that provide Linux platforms need to release patches, which will fix the vulnerability. Red Hat, the leading provider of Linux platforms, has already published two patches, said Josh Bressers, a member of the company’s security team. In order to be safe from hackers, companies and individuals will need to update their software with the patches.

Though Bressers acknowledged that the bug could give hackers complete control over a machine, he said it wasn’t as pervasive as others have suggested.

“You hear people talking about every computer on the Internet that has Bash [being vulnerable],” said Bressers. But he asserted that machines are only vulnerable if they’re running Bash in certain ways. Bressers said he couldn’t estimate how many machines are actually affected.

Bressers also said that most connected devices in the home would not be vulnerable to the bug. Some experts, including Kellermann, have said that the bug could indeed be used by hackers to control home security devices or cameras connected to the Internet, or even some medical devices.

Given Red Hat’s role in distributing Linux platforms, Kellermann said it made sense that Bressers would downplay the severity of the bug and the potential for catastrophe. And in the time it takes for companies to update their software with the patches, Kellermann said hackers could wreak mayhem.

“Every day the patch is not out, the rats associated with the plague spread. And even when the patch does come out, you may already have the rat with the disease in your house,” warned Kellermann.