Trending

TSB NETWORKS

Report : Security experts expect 'Shellshock' software bug to be significant

Long before the commercial success of the Internet, Brian J Fox invented one of its most widely used tools. 

In 1987, Fox, then a young programmer, wrote Bash, short for Bourne-Again Shell, a free piece of software that is now built into more than 70 per cent of the machines that connect to the Internet. That includes servers, computers, routers, some mobile phones and even everyday items like refrigerators and cameras. 

On Thursday, security experts warned that Bash contained a particularly alarming software bug that could be used to take control of hundreds of millions of machines around the world, potentially including Macintosh computers and smartphones that use the Android operating system. 

The bug, named "Shellshock," drew comparisons to the Heartbleed bug that was discovered in a crucial piece of software last spring. 

But Shellshock could be a bigger threat. While Heartbleed could be used to do things like steal passwords from a server, Shellshock can be used to take over the entire machine. And Heartbleed went unnoticed for two years and affected an estimated 500,000 machines, but Shellshock was not discovered for 22 years. 

That a flawed piece of code could go unnoticed for more than two decades could be surprising to many. But not to programmers. 

Many of the commercial tools that individual users and large corporations depend upon are built on top of programs that are written and maintained by a few unpaid volunteers in what is called the open-source community. That community, along with big companies like Google, adjusts and builds new things on top of older work. The Macintosh operating system, for example, is routinely updated, but it is built on top of older programs like Unix. 

Sometimes there are flaws in that code. And over the years, the flaw becomes part of all sorts of products. 

Fox maintained Bash — which serves as a sort of software interpreter for different commands from a user — for five years before handing over the reins to Chet Ramey, a 49-year-old programmer who, for the last 22 years, has maintained the software as an unpaid hobby. That is, when he is not working at his day job as a senior technology architect at Case Western Reserve University in Ohio. 

Ramey said in an interview on Thursday that he believed he inadvertently introduced Shellshock in a new Bash feature in 1992, though he could not be sure because back then he was not keeping comprehensive logs. Through the years, he maintained Bash by himself and occasionally bug reports would arrive in his email inbox.