Newly discovered vulnerabilities in the widely used Bash shell for Linux operating systems could result in the inadvertent sharing of data from connected devices, according to one expert evaluating the situation.
Researchers are piecing together the total impact of the issue following its disclosure earlier today. Linux distribution vendors like Red Hat and Canonical have been providing patches to install on devices, and cloud providers like Amazon Web Services have also provided instructions for customers to remedy the problem.
But the most direct effect could put devices on the Internet of things — and generally gadgets requiring remote access — into a tough position. That’s because Bash can allow technically savvy people to reach out to devices and get back arbitrary data in response, security expert Troy Hunt told VentureBeat in an interview.
“Certainly Internet-connected stuff is going to be the immediate vulnerability,” Hunt told VentureBeat, adding that devices running versions of Bash that haven’t been updated in years could be at risk.
The move could have security researchers and also IT administrators scrambling for days or weeks following the disclosure, just as the Heartbleed security vulnerability did earlier this year. And because an unpatched version of Bash could lead machines to issue arbitrary commands, the potential risk of the vulnerability is much greater, Hunt said.
Researchers will be looking for evidence of exploits of the flaw, and companies could move to revoke security certificates and credentials in the wake of the revelation, said Hunt, a Sydney-based software architect at Pfizer and a Microsoft Most Valued Professional who specializes in security.
But even before that, the impact is certainly catching people off guard today.
Essentially, it’s a zero-day [threat] for many people,” Hunt said. “They’re not patched yet.”