To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

Shellshock bug puts everyone at risk, UK watchdog warns

Map of Earth with binary

UK data watchdog says everyone needs to take responsibility to stop spread of hugely dangerous Shellshock bug

Individuals and organisations are being urged to make sure all their IT systems are up to date in the wake of the potentially catastrophic Shellshock bug. The UK’s data protection watchdog warned people not to think “this all sounds too complicated”, with hackers already taking advantage of the gaping security flaw affecting millions of computers, servers and other devices.

Shellshock exploits a critical vulnerability in the Bash software component found on Linux and Mac computers and 50 per cent of all web servers. The bug, which may have existed for over 20 years, could be one of the biggest computer security threats ever, with hackers potentially able to take control of millions of computers.

What is Shellshock? We explain why your data is at risk

Now the UK Information Commissioner’s Office, which keeps an eye on data and privacy breaches, has warned that people and orginisations must apply updates “as soon as practically possible”.

“This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure,” an ICO spokesperson said.

“The worst thing would be to think this issue sounds too complicated – businesses need to be aware of this flaw and need to be monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and ultimately, enforcement action.”

Individuals also need to take responsibility. With thousands of security updates being developed by software and hardware vendors it is crucial that everyone patch affected systems.

“Security updates are currently being rolled out – don’t ignore them, but make sure you apply them as soon as practically possible,” the ICO spokesperson added.

The vulnerability was first uncovered earlier this week, but hackers are already taking advantage of gaping holes in the security of computer systems and servers around the world. The bug in Bash lets an attacker run code that is triggered when the component runs, something that shouldn’t be possible.

Apache servers, which half of all websites run on, are already being targetted through CGI scripts. These tiny bits of code carry out boring but essential tasks, but also inadvertently give attackers access to Bash. By using a piece of code to target the CGI scripts a hacker can get into a server through Bash. Once a hacker has direct access to a server they have complete control of it.

Worryingly the attack is very easy to carry out on unpatched systems. All a hacker needs to do is copy and paste in some code and the command will execute. As Bash lies at the heart of so many computers and systems it gives hackers control of just about anything.

At first there was no evidence that the bug had been exploited, but it was only a matter of time before this happened. According to a post on GitHub, a system administrator has found an exploit that used the Shellshock vulnerability to launch an exploit. The attack appeared to attempt a brute force attack on the server in an attempt to guess usernames and passwords.

Experts have warned that the full seriousness of the Shellshock bug may not become clear for some time.

Read more