Bash bug has probably been around since 1992

The vulnerability in Bash that allows attackers to take over a system has probably been around since 1992. So says the developer responsible for the shell. All this time, as far as is known, the bug has gone undetected.

Chet Ramey, the volunteer in charge of Bash, told The New York Times that he probably introduced the bug by accident in 1992. Ramey notes that he is not sure, because he did not keep detailed logs at the time. At least until September 12, the bug went unnoticed by Ramey himself, when he was tipped off about the vulnerability’s existence.

The bug is easy to exploit, but it offers far-reaching access to a system: an attacker can run their own code on a system. It cannot be ruled out that the security problem has already been noticed in the past 22 years by researchers who have chosen to keep the leak under wraps and, for example, sell it. Companies such as the French Vupen specialize in finding and selling so-called zero-day security vulnerabilities.

In the meantime, the bug has largely been squashed, although in certain cases it is still possible to run your own code. In addition, a system can only be protected if a patch is available. The problem is that users often patch devices such as routers, NAS systems and even wireless webcams with a built-in web server less quickly than a desktop operating system, and can therefore be vulnerable for years to come.

According to security researcher Robert Graham, Bash’s underlying code is seriously outdated. The Bash bug, also known as Shellshock, is nothing more than a warning that more bugs will follow, he says. “The cause is not a programmer’s error, but a systematic failure in the code,” writes Graham, noting that three similar bugs have already been found. “The code is outdated and written to the standards of 1984 instead of 2014.”

The vulnerability can be exploited by adding a number of characters, followed by code, to an environment variable. As soon as a bash session is opened, that code appears to be executed. Any application that relies on the Bash shell is potentially vulnerable. This includes web servers, which can be tricked with HTTP requests. Also, dhcp clients are potentially vulnerable: a dhcp server could run its own code on a PC. That’s a problem on public Wi-Fi hotspots, for example.