Repairing The Internet: The Aftermath Of Shellshock


The Appearance Of Heartbleed And Shellshock

September 24th, 2014 marked the first reported incident of the Shellshock bug, a security vulnerability in the Linux and Mac software “Bash” (a command line interpreter) which could potentially allow an attacker to take almost complete control of a vulnerable system. This bug came on the heels of the April terror over Heartbleed, a bug which exploited vulnerabilities in OpenSSL and could allow malicious users to retrieve information from protected servers (ranging from Facebook to Gmail), whether this information was chat logs, emails, or passwords. Heartbleed was identified by a Forbes columnist as “the worst vulnerability found… since commercial traffic began to flow on the Internet.” Shellshock was then hailed as “even worse than Heartbleed.” Within a week of the discovery of Shellshock, however, developers released a slew of patches repairing the design flaws of Bash, subverting the potentially enormous fallout of the vulnerability. While experts say that Shellshock could still have an impact on Internet of Things devices, Shellshock presents no real threats to consumers at this point. The same goes for Heartbleed: within a week major websites quickly patched the vulnerability and encouraged their users to change passwords to subvert any additional fallout. However, the aftermath of the bug leaves the general population with a list of questions: where do these security bugs come from? What do these huge vulnerabilities, discovered in systems used by hundreds of millions of users, mean for the average consumer and for the fate of the internet?

What Heartbleed And Shellshock Reveal About The Internet

The most important thing to remember about these security flaws is that they are just that— flaws. These are not pieces of software developed specifically for the purpose of attacking users and companies. Instead, they are vulnerabilities which exist in the systems we are using every day, harmless until they are discovered and exploited. The software exploited by the Shellshock bug has been around and used for a whopping 27 years. The code has been open-source, meaning that anybody can use it and can, at any point, review it to search for flaws and vulnerabilities.  However, neither of these bugs were discovered until after many years of widespread use, and it took the catastrophic revelation of a major security flaw for these old systems to be re-examined, patched, and re-worked. The same goes for Heartbleed, with experts estimating that the bug might have been exploited by attackers for at least five months before its public discovery and announcement. This paints a pretty damning picture of the infrastructure of the internet: it reminds us that much of the code we use today was written at a point in time when security was not a major priority. The team which designed OpenSSL, the encryption system exploited in Heartbleed, consisted of only 11 members, 10 of whom were unpaid volunteers, but the code created was utilized by major tech companies for ensuring the security of consumer information. Washington Post columnist Andrea Peterson remarked that “what Heartbleed and Shellshock show is a distinct lack of formal review structure with devastating results.”

Repairing The Internet

One positive result of these two bugs is that they encourage major companies to take some steps to review and check old code. In the aftermath of Heartbleed, major tech companies, including Google, Amazon, and Microsoft, joined to form the “Core Infrastructure Initiative”. This project seeks to fund open-source projects, such as OpenSSL, in the hopes of reworking and repairing the faulty internet infrastructure created in years past.

What These Bugs Mean For Internet Users

For the average internet user, the lessons learned from these security failures boil down to the need for vigilance. When Shellshock came around users couldn’t do very much except sit and wait as news of vulnerabilities and the subsequent patches unfolded. In the case of Heartbleed, however, remaining safe meant changing passwords because of the very real possibility of the compromise of this information. While these bugs have given rise to serious questions about possible flaws in other existing systems, for average users there’s little to be done to prevent, subvert, or repair security bugs such as these. Instead, Heartbleed and Shellshock serve as reminders of the responsibility which accompanies technology. The security bugs which emerged this year won’t be the last ones we see, and in order for our information to remain protected we need to remain aware of the risks.
Date of original publication:
Updated on: November 10, 2015

Leave A Comment