Magpie Tech Tips

October 01, 2014

The Bash Bug/Shellshock - Why It's Not "Bigger" Than Heartbleed

Have you seen the news about "Shellshock" yet? A bug in Linux and Mac OS X software which the media's calling "worse than Heartbleed." We think it's an issue, but not that bad. Here's why.
You may recall the Heartbleed bug from earlier this year. The vulnerability in OpenSSL technology put online transactions the world over at risk of data theft.

In late September, a vulnerability has come to the media's attention in the bash shell. Bash is used in most Linux systems and some Mac OS X computers. The vulnerability, dubbed “Shellshock” or "The Bash Bug," could allow hackers to break into computers and access confidential information. Like credit card details or your Social Security Number.

'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock – CNET
Shellshock Makes Heartbleed Look Insignificant – ZDNet

However, we think the risk present here is not as bad as the media claims. Particularly when it comes to our customers.

Why?
  1. We use Windows Servers for most of our clients. The few Linux servers we do keep around are already patched. So are most Linux servers configured to update automatically.
  2. Developers for Linux operating systems such as Android and Red Hat are already issuing patches.
  3. Exploiting Shellshock takes some coding skill. And even if you exploit it, there’s no guarantee of a big payoff.
  4. Shellshock is not strictly a bug - it's a coding peculiarity within the bash shell itself. It's not new either; this has been known for 25 years. And in those 25 years, it hasn't caused any serious harm to servers (that we know of).
This doesn’t meant Shellshock is not a threat at all; FireEye reports that malware and DDoS attacks targeting Shellshock are already in the wild.

However, we do think the media is overstating the threat. The vulnerability is already being patched.

If you are not a PlanetMagpie customer yet, or you run Linux servers in your business, please talk to your IT administrators. Chances are they're aware of Shellshock. But just in case they're not, have them look into it. We're happy to assist if they'd like input.