Well, at least it's not another data breach...yet. US-CERT, a division of the Department of Homeland Security has issued an Alert regarding the ‘Shellshock’ Vulnerability. The alert is about a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.
W3Tech reported earlier this year that approximately two thirds of Internet based servers use Unix or Unix-like operating systems. This broad install base is just one the reasons making this discovery so troubling. The second disturbing part of this vulnerability is the length of time the problem has existed - possibly 25 years! The length of time compounds the issue because of the sheer number computers involved. Some affected equipment will be very old and possibly embedded in other hardware or even infrastructure such as power plants. It's not just web servers it's all the Unix based hardware used in manufacturing and other industries, such as medical automation, that might happen to have web access for maintenance and reporting.
This is not malware or a virus but a flaw discovered in early September 2014. Bash was first released in June. 1989. It has been distributed widely as the shell for the GNU operating system and as a default shell on Linux and Mac OS X. Hackers and malware developers are not known to waste an opportunity such as this.
According to the all knowing Krebs on Security, attackers are already probing systems for any possible weakness. Jamie Blasco, labs director at AlienVault, writes in a company blog post about his efforts to attract attackers. Blasco said "[On September 24] we began running a new module in our honeypots, waiting for attackers to exploit this vulnerability. We have had several hits in the last 24 hours. Most of them are systems trying to detect if the system is vulnerable. On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks.”
At this early stage it's difficult to guess the extent of attacked hardware. But as an example the Heartbleed Bug was widely reported in April 2014 as a catastrophic computer world event. The Heartbleed Bug's target was also Unix based servers. But only a smaller subset of Unix operating systems were affected.
However even with a declared world wide catastrophe, Lastpass.com currently documents that after five months there is still a surprising number of very high profile websites that haven't yet protected their visitor's against the Heartbleed Bug. If very high profile websites using the latest in hardware are slow to close known exploits, then when - if ever - will older embedded equipment owners patch their hardware?
It appears hackers and malware distributors will have vast armies of bots working from exploited hardware to follow attacker's commands for many years to come.