Added by Erik West on September 25, 2014
A defect in web servers and other devices makes them vulnerable to new types of attacks, resulting in possible exposure of personal information from websites. The defect affects about one billion websites and estimates of billions of internet-connected devices including cameras, WiFi routers, and many more.
Shellshock, the defect’s name, was discovered a week ago when security experts started discussing it within specialized forums; however, the defect was publicly announced about 24h ago.
According to a bulletin issued by the US Department of Homeland Security – issued through the National Vulnerabilities Database, the defect is rated a 10 out of 10 in terms of its overall impact because it’s easy for an attacker to take advantage of the defect.
To make matters worse, say security experts, the defect can be used to use programming code that replicates across many internet-connected servers and other devices.
In comparison to the recent Heartbleed bug, in a blog post researcher Troy Hunt said, “in one way, the Heartbleed comparison isn’t fair – this is potentially far worse.” He goes on to say, “…I suspect that so far we’re only scratching the surface of what is yet to come.”
Researchers say hackers may have known about this defect for “an extended period of time” and they have confirmed they are seeing hackers take advantage of it.
Security experts say that specific versions of web software is affected; however, the software that powers many internet-connected devices has been in use for 21 years, making the estimate of the number of affected devices possibly in the billions. While newer software is available, installing it on all systems is expected to take a very long time due to the sheer number of systems that need to be upgraded. Plus, some systems may never be fixed because they’re impossible to upgrade – these are referred to as embedded systems.
Internet security experts say websites are not the only things that are affected by the defect. Things like cameras, door locks, home security systems, wireless routers, refrigerators, and thousands of other types of devices that are connected to the internet likely have the same defect. Devices with the Shockwave defect are not only vulnerable to attack, but could also be used to perpetuate an attack that could involve millions of computers and devices.
Researchers have created a technique to mitigate the risk of an attacker being able to take advantage of the Shellshock defect, and many organizations are using the technique on their systems.
Akamai, which handles about 30% of global internet traffic, says their services are in the process of being fixed to detect and stop attackers from taking advantage of the defect. Other organizations are working as fast as possible to patch, or fix, affected systems.
The defect affects internet servers and other devices that use a Unix-based operating system – about 51% of all websites. In addition, an estimated 26 billion devices are affected. Devices include fridges, thermostats, washers/dryers, security and other cameras, WiFi routers, door locks, entertainment systems, and any other device that is always connected to the internet.