Skip to main content

Shellshock is a flaw in a ubiquitous interface that affects a wide range of computer systems and computer-driven devices.Mal Langsdon/Reuters

Hackers may have started to try to take advantage of the Shellshock bug, the major computer security flaw whose existence was made public this week.

AusCERT, Australia's Computer Emergency Response Team, reported in a bulletin released Thursday that it had "received reports that this vulnerability is currently being exploited in the wild. Administrators should patch vulnerable systems as soon as possible."

Several computer security firms said an initial patch for the issue was incomplete.

The Russian security software maker Kaspersky Lab reported that a computer worm has begun infecting computers by exploiting Shellshock, according to Reuters.

Kaspersky researcher David Jacoby told Reuters that he did not know who was behind the attacks and could not name any victims.

The problem, which was made public Wednesday, comes just months after the Heartbleed Internet bug was discovered.

"It's much larger in scale than the Heartbleed issue," David Skillicorn, a professor at Queen's University's School of Computing, warned in an interview.

In Ottawa, the federal government was patching software and even taking some computer networks off-line, a Treasury Board official told

Shellshock is a flaw in a ubiquitous interface that affects a wide range of computer systems and computer-driven devices.

"We have billions of devices on the Internet and we're still going to see millions that have this problem," Josh Bressers, a member of the security response team at the North Carolina technology firm Red Hat, said in an interview.

The bug was discovered by a French programmer who was worried that the interface was behaving in a "naive way" and was open to accepting malicious code.

"The only people who don't have to worry about it are people who are running Windows consumers PCs or devices that are smaller than five centimetres by five centimetres," Prof. Skillicorn said.

"Absolutely everything in between is almost certainly affected."

This, he said, could include computers running on Linux and Mac OS X operating systems, website servers, Internet-enabled devices such as remote webcams, Wifi routers, cable modems, even Internet-enabled appliances.

Major security firms were sending out patches to remedy the problem.

"I presume Apple will be doing that quite soon as well," Prof. Skillicorn said.

"The big boxes will get fixed relatively straightforwardly. Things like my satellite box can be remotely updated. The problem is that my WiFi router in my house is not designed to be updated. ... it'll be a real, complete pain to do that."

The bug involves Bash, an interface used to send commands to the computer's operating system.

"This is a rather unique problem because it uses a rather obscure functionality in Bash that people don't normally use," Mr. Bressers said.

"The problem is that these software systems are so big and so complex now, it is difficult sometimes to make sure that we're looking in the right places and covering all our bases.

What is Bash?

Bash is the acronym for Bourne Again Shell. It is named after Steve Bourne, a Bell Labs researcher who designed the original shell for computers running on Unix operating systems.

A shell is the interface that enables a user to send a command to a computer's operating system.

Bash was created by an American programmer named Brian Fox for the GNU Project, a group dedicated to creating free Unix-compatible software.

Mr. Fox wrote the code in the late 1980s and released it in June, 1989 – which underlines the scope of the problem since the flaw might have gone undetected for a quarter of a century.

What is the problem with Bash?

Normally, a human or another machine can give Bash some commands and also set the variables with which those commands would be performed.

There is however a programming flaw in Bash, allowing users to tack additional code after those variables.

"The problem is that, when you send a description of what you want to do, it doesn't check if that ends properly," said Queen's University's Mr. Skillicorn.

Bash's open-ended way of treating commands would enable ill-intentioned users to add to their command some extra computer code.

"You end up executing random bits of code automatically, which is a problem," Mr. Bressers said.

How was it uncovered?

The vulnerability was discovered last week by a French programmer based in Edinburgh, Stéphane Chazelas.

In an e-mail interview, Mr. Chazelas said he was reflecting on another security flaw that he had previously reported, and began to look at the way the Bash interface handled exported functions, a little-known feature most users don't know about.

He was concerned that Bash would be tricked into running external functions indiscriminately.

"I thought that if Bash implemented it the naive way, there was scope for a big problem. And sure enough, Bash implemented it the naive way," Mr. Chazelas said.

He reported the problem so a fix could be created.

The flaw was officially disclosed Wednesday when the the U.S. government added it to its national database of vulnerabilities, under the identifier CVE-2014-6271.

The government advisory on CVE-2014-6271 gave it the highest severity rating: 10 out of 10.

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe