Years before ‘deadly’ shellshock bug is eradicated, warns professor

University News Last updated 26 September 2014

Person using a laptop

A 'deadly' bug potentially affecting hundreds of millions of computers, servers and devices has been discovered this week. The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple's Mac operating system. The bug, dubbed Shellshock, can be used to remotely take control of almost any system using Bash, researchers have said.

Professor Mike Jackson, cyber security expert from Birmingham City University, warns that Apple PC users are more at risk to the flaw and that although the potential damage is hard to gauge, millions of websites could be open to the exploitation of the shellshock bug.

“There are two main families of basic computer software in the world: those which are Windows-based and those which are Unix-based. The Unix world has just been rocked by the news that a piece of fundamental software is flawed and has opened the gateway to hacking attacks. Even worse news is the fact that this flaw has existed for a decade! It is feared that this newly discovered flaw may be more damaging than the ‘Heartbleed’ bug which was discovered earlier in the year.

“Obviously everyone wants to know if they might be vulnerable to attack. If you are an Apple PC user then the immediate answer is ‘Yes’. Apple’s OS X operating system is Unix-based and therefore vulnerable. Window’s users should not however be complacent. Your PC might be safe but what about the router you use for your broadband? It will use Unix-based software and therefore may be at risk of attack.

“Even if we feel safe with the computers we own, what about those computers we use but don’t own? Every time we access a website we are effectively using someone else’s computer and we open ourselves up to their vulnerabilities. One of the major pieces of web server software called Apache is Unix-based and known to be at risk from this software fault.

“Literally millions of websites could be open to the exploitation of the Shellshock bug. The damage it could cause is as yet unknown. The only safe prediction is that given the number of computers which are at risk that it will be years before this vulnerability is completely eradicated.”

For further comments and interview opportunities, please contact the Press Office on 0121 331 6738.

Back to News