A security flaw discovered in one of the most fundamental interfaces powering the internet has been described by researchers as 'bigger than Heartbleed', the computer bug that affected nearly every computer user earlier this year.

The 'Bash bug', also known as Shellshock, is located in the command-line shell used in many Linux and Unix operating systems, leaving websites and devices powered by these operating systems open to attack.

Like Heartbleed, Shellshock is a pervasive flaw that security researchers say will take years to fix properly. The responsibility to do so however rests with webmasters and systems administrators - rather than average users.

Security firm Rapid7 has rated the bug as 10 out of 10 for its severity, but "low" for complexity - with hackers able to exploit it using just three lines of code.


Read more:
How the Heartbleed bug reveals a flaw in online security
Internet Explorer 'security hole' leaves a quarter of web browsers vulnerable

However, unlike Heartbleed, Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.

If Heartbleed's effect on users was akin to unlocking everyone's front door simultaneously, sending people scrambling back home to turn the key (ie change their passwords) then Shellshock is like giving thieves a new type of crowbar to break in to houses with - they're just as likely to use older methods, but it's still a blow for general security.

Security researchers are especially worried about its potential - but as yet unknown - effect on Apple Mac computers, which uses the Bash software which the bug exploits directly in the form of its command-line program Terminal.

Researchers think that Shellshock could be trouble for Mac users.

Robert Graham, a security expert and CEO of Errata Security told The Independent: "It's really important that people who maintain websites make sure their computers are patched as quickly as they can. Hackers are already going to all websites and trying out this bug."

Mr Graham added that as Shellshock affects "a common bit of code that is used all over the place" it will take a long time for experts to fix all affected systems. "Years from now we'll keep finding yet another device that's still not been patched," he said.

The severity of Shellshock has been recognized by even the US government, with the US Department of Homeland Security releasing a warning about the bug and providing patches to fix affected servers.

Despite this, security experts have said that the affect of Shellshock will be minimal. "Of the top 10 ways hackers will hack computers this year, this won't make the list," said Graham.

The bug itself was first identified by a security team at Red Hat, an American company that provides open-source software and has sponsored initiatives including the Fedora Project and the software for the One Laptop per Child initiative.

It's been estimated that the bug has been present for at least a decade and most likely longer. Writing about the flaw on his blog, security researcher Michal Zalewski commented that it wasn't unusual for Shellshock to have gone unnoticed for so long:

"My take is that it's a very unusual bug in a very obscure feature of a program that researchers don't really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on."

Q&A: The Shellshock / Bash bug


What is Shellshock?

A. Shellshock is a mistake in the code of a program called Bash, which is typically installed on non-Windows operating systems such as Mac, Unix and Linux. The bug allows hackers to send commands to a computer without having admin status, letting them plant malicious software within systems.

Q. Could it be used to steal my financial details?

A. Yes. If banks or online retailers use older, "mainframe"-style computing systems, they are likely vulnerable. Home routers and modems could also be targeted as a way to get to PCs and laptops.

Q. Are there any indications it has already been exploited?

A. It's too early to tell. However, authorities fear a deluge of attacks could soon emerge. The US government has rated the security flaw 10 out of 10 for severity.

Q. What can be done to solve it?

A. Security experts around the world are now rushing to find a fix for the bug, but the widespread and varied use of Bash means there won't be a single solution. Individual organisations and companies such as Apple will develop patches for their own systems.

Q. What can I do to protect against it?

A. Experts recommend not using credit cards or disclosing personal information online for the next few days. Usual precautions are also recommended such as updating anti-virus software and not visiting dodgy websites.

Q. Why are people saying it's worse than "Heartbleed," the flaw that exploited security technology used by hundreds of thousands of websites?

A. While Heartbleed exposed passwords and other sensitive data to hackers, Bash Bug lets outsiders take control of the affected device to install programs or run commands. Bash Bug is rated 10 on a 10-point scale for its impact and ease of exploitability by the Common Vulnerability Scoring System, an industry standard for assessing how bad security flaws are. Heartbleed is rated 5.

On the other hand, a perfect set of conditions need to be present for the bug to be open to exploitation, which could limit its effect.

Heartbleed affected any system running OpenSSL, a common Web encryption technology. With the Bash Bug, your system actually has to be using Bash, Budd said. There are multiple types of command shells, so even if Bash is installed, the system could actually be using a different one.

Q. It's been a quarter century since Bash came out, so why is the bug a threat now?

A. That's because someone - Stephane Chazelas of Akamai Technologies Inc. to be specific - just found it.

"That's the thing with security bugs," Budd said. "It takes a person actually looking at that code, and seeing it, and saying 'that's not right'" to find problems.

Heartbleed was around for more than two years before it was discovered.

Q. What can you do about it?

Everyday users can't do much right now, except to wait for manufacturers to release fixes for the particular product. Companies are already releasing patches that correct the flaw, so Budd recommends applying the patches for routers, Macs and other devices as they come out.

But that can be easier said than done. Budd said it will depend on who made the equipment and whether you get a fix at all. Even if a fix is developed, getting it could be another matter. Budd expects that to be an issue with Android phones, because their manufacturers and carriers are often slow to push out the system updates that Google provides.

Of course, it always helps to run up-to-date security software on your devices.

-Independent with AP