KAJX

Shellshock Bug's Impact Could Be Huge, But It's Unclear For Now

Sep 26, 2014
Originally published on September 28, 2014 1:21 pm

Hundreds of millions of computers and networks are at risk after a bug called Shellshock was found this week. It turns out it's actually been around for a while — it took 22 years to discover this bug. If exploited by hackers, the impact could be huge.

What has security companies so worried is the wide scope of the systems affected and the potential here for wreaking havoc for systems connected to the Internet. Shellshock affects websites and computers running operating systems such as Mac OS and Linux. And it's estimated that more than 80 percent of the Internet serves websites on the software affected by this bug. Just hours after this security flaw was announced, it was already being exploited. A few things to keep in mind:

How does the bug actually work?

Your computer has a type of program called a shell — which lets you give it commands like, "run my Web browser," "open up this file," etc. If you use a Mac, that shell is likely Bash, which stands for Bourne-Again Shell. The vulnerability or bug discovered this week is in Bash.

Since it is the shell that runs when you give your computer commands, the worry here is that Shellshock could be used to take control of your machine. You can imagine the danger if a malicious hacker were to give it the wrong command, like "delete my files." So the main concern is that computers could be accessed remotely, making users quite vulnerable.

How are Internet companies responding?

Since it could affect most of the Internet, the big companies like Google and Amazon have already rolled out software patches for this. The question is whether smaller sites and programs patch things up quickly or leave themselves — and their users — vulnerable.

What can we individual users do to protect ourselves?

If you're running Windows, you're in the clear, as the vulnerability does not affect Microsoft Windows users. Operating-systemwise, Mac users are more at risk here, though Apple says most OS X users are safe. There's likely going to be an operating system update or patch for anyone running a Mac. So keep up to date with any software updates, and update your computer and mobile devices as those are released.

For the websites you commonly use, the best way you can limit exposure is to have different passwords for different services. And for the Web services you use, find out who's making the software and what the manufacturer says about the Shellshock bug, so you can protect yourself.

But we really won't see the fallout immediately. It's likely to play out over the next few months or years, as the sites and programs that don't patch up the flaws or don't monitor their security closely could stay vulnerable until a hacker takes control.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

LINDA WERTHEIMER, HOST:

Millions of computers and networks are at risk after a security flaw, which is being called Shellshock, was found last week. Now this is not a virus. It's a bug - a mistake in code. And it turns out, it's actually been around for a while. It took 22 years to discover this bug. And the impact could be huge if the security flaw is exploited by hackers.

NPR's Elise Hu is here to explain Shellshock. So, Elise, what has security companies worried about this thing?

ELISE HU, BYLINE: Well, your computer has a type of program called a shell. And that lets you give it commands - for instance, run my web browser, open up this file, that sort of thing. Now if you use a Mac, that shell is likely a shell called Bash. Bash is where this software bug was discovered.

And since this is what runs when you give your computer commands, the worry here is that Shellshock could be used to take control of your machine. You can imagine, Linda, if - the danger if a malicious hacker were to give it the wrong command, such as delete my files or download a nasty virus. So the main concern here is that your computer could be shelled into, remotely, making users quite vulnerable.

WERTHEIMER: So what is it that has the security companies so worried?

HU: It's the wide scope of the computers and the networks affected. And the potential here for wreaking havoc for any system connected to the Internet. Shellshock, as it's been named, effects websites and computers running operating systems like Mac OS, which many of us run, and Linux. It's estimated that more than 80 percent of the Internet serves its websites on that Bash software affected by this bug.

WERTHEIMER: So do the Internet companies have to do something?

HU: They have to release patches. And since it does affect so much of the Internet, the big companies, like Google and Amazon, you don't have to worry about. They have already rolled out software patches for this. The question now is whether smaller sites and programs will patch things up quickly or leave themselves and their users vulnerable.

WERTHEIMER: So is there something that individual users, like me - is there something I should do?

HU: Well, Linda, for now know that the vulnerability does not affect Microsoft Windows users, but Mac users are more at risk here. Apple says not to worry, there's going to be an operating system update, or a patch, for anyone running the more advanced systems on Mac's. But generally, just keep up-to-date with any software updates, and update your computer and mobile devices as Apple releases those.

And for the websites you commonly use, the best way you can limit your exposure is just to use different passwords for different services. And also you can find out who's making the software you're using, and what the manufacturer is saying about the Shellshock bug so that you can better protect yourself.

But Linda, we really won't see the fallout immediately. It's likely to play out over the next few months, or even years, as the sites that don't patch themselves up and monitor their security closely could leave themselves vulnerable for a long time. And that's when a hacker could to take control.

WERTHEIMER: NPR's Elise Hu covers technology and culture for us. You can read more about Shellshock on our tech blog, All Tech Considered, at npr.org. Elise, thanks.

HU: You're welcome. Transcript provided by NPR, Copyright NPR.