This article is more than 1 year old

Hackers thrash Bash Shellshock bug: World races to cover hole

Update your gear now to avoid early attacks hitting the web

Party like it's 1999 – this is going to turn into a worm

Tenable's EMEA technical director Gavin Millard warned that the vulnerability can be exploited by worms that infect machine after machine after machine as they crawl through the internet – just like Slammer, Blaster and others floored Windows servers years ago.

"The potential for attackers utilizing Shell Shock is huge with millions of Unix and Linux servers vulnerable," Millard warned.

"The major concern of Shell Shock is the staggering amount of systems that have Bash installed – almost every Unix platform and many of the 'Internet of Things' devices we now have in our homes and businesses.

"Unfortunately, due to the ease of exploit, Shell Shock is a prime candidate for a worm. We could be looking at another SQL Slammer-like worm but instead of 100,000 servers being affected, it could be more like 100,000,000, which would be catastrophic.

"Every organisation should be scanning for this vulnerability today and patching everything they can. On a scale of one-10, 10 being critical, this bug is an 11 and should be treated as such."

Even putting aside the nightmare of a worm outbreak, the impact of Shell Shock is potentially huge. Darien Kindlund, director of threat research at FireEye, described the bug as "horrible."

"It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic," Kindlund said.

"Conservatively, the impact is anywhere from 20 to 50 per cent of global servers supporting web pages. Specifically, this issue affects web servers using GNU Bash to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet." ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like