computer virus
Getty Images

Experts Say 'Bash' Bug Is a Major Vulnerability But Not a Major Threat

Sep 25, 2014

When the Heartbleed software bug was disclosed in April, there was no shortage of publicizing its risks and defensive measures—and for good reason. And the Bash bug, discovered Wednesday, is prompting similar widespread fear. The security flaw is named after a vulnerable piece of software, Bash, that's built into several ubiquitous operating systems, including Apple's Mac OS X.

"People were taking Heartbleed very seriously," said Jim Reavis, CEO of cybersecurity firm Cloud Security Alliance. "If people don't take Bash seriously, it'll become a self-fulfilling prophecy."

Cybersecurity experts like Reavis don't doubt that the Bash bug is dangerous: it is, and it needs urgent attention. The afflicted Bash software, released in 1989, is an open source software that was built-in to Linux and Mac OS operating systems and then widely integrated into many corporate and personal computer programs, experts said. Preliminary estimates say it could impact up to 50 percent of Internet-connected servers, according to Darien Kindlund, director of threat research at FireEye, a network security company.

"Bash is yet another type of open source software that has been reused, repurposed," Kindlund said.

But the threat posed by the Bash bug—it could theoretically remotely command computers and extract private information—is overblown, cybersecurity experts told TIME. Average computer users aren't likely to be directly targeted by hackers, experts said. And for the vulnerability to be triggered, the attacker would need to deliver content to the user, and then get the user to execute Bash with that content, according to Kindlund. Normal web browsing, emailing or other common activities do not involve calling Bash. What average users should be worried about are more traditional hacking techniques, like phishing emails and links to malicious websites, said John Gunn of VASCO Data Security.

"There are so many other methods that have a high degree of success that would take priority over [Bash as a hacking tool]," Gunn said. "The vulnerability really exists for large organizations that may have servers running Linux."

Companies who have web servers that aren't updated internally on a frequent basis may be most at risk because they continue to use old technology, according to Kindlund. Some companies who still store private data on Internet-facing servers—an outdated practice, as it makes sensitive information more vulnerable—or do not have strong security may vulnerable as well, but they can take precautions by inspecting each and every of their Linux-based servers, said Tanuj Gulati, CTO of Securonix, a security intelligence firm.

"The Apples or the Amazons or the Googles of the world aren't the ones I’m worried about the most," Reavis said. "But it could be some big companies that use this technology, but simply don't have an awareness budget, or not taking this seriously."

Still, many companies already have protection mechanisms in place that would prevent Bash from inflicting significant harm. Most servers can detect anomalous traffic and behavior, and many already take precautionary efforts by keeping records offline where they are inaccessible, Gunn said.

"What this Bash vulnerability depends on is a lot of other failures," Gunn added. "This isn't a single point of failure, whereas in Heartbleed, it was."

Numerous patches for the Bash bug have already flooded the market. While security researchers have claimed the patches are incomplete, experts agree that fully fixing the vulnerability would take years. Additionally, that there have not been any known major breaches using Bash has also boosted security experts' confidence that the bug may not pose a widespread threat.

"Most vulnerabilities of value are either shared or sold in the hacking community," Gunn said. "If this had been a viable hacking method, it would've been exchanged in the hacking community, and it has not."

But fact that Bash may not pose a major threat to individuals or companies doesn't mean its danger should be understated, experts agreed.

"You saw a lot of worry about [Heartbleed], and there really wasn't much that happened. The economy didn't grind to a halt. Cities didn't black out," said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. "It's a vulnerability. A flaw."

TIME may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.