Skip to main content [aditude-amp id="stickyleaderboard" targeting='{"env":"staging","page_type":"article","post_id":1560956,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,dev,security,","session":"B"}']

The Bash bug could leak data from connected devices, researcher says

A prototype for a connected device. (Note: This device is not implicated in the Bash security bug; it's here for illustration only.)

Image Credit: Dean Takahashi/VentureBeat

Newly discovered vulnerabilities in the widely used Bash shell for Linux operating systems could result in the inadvertent sharing of data from connected devices, according to one expert evaluating the situation.

Researchers are piecing together the total impact of the issue following its disclosure earlier today. Linux distribution vendors like Red Hat and Canonical have been providing patches to install on devices, and cloud providers like Amazon Web Services have also provided instructions for customers to remedy the problem.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1560956,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,dev,security,","session":"B"}']

But the most direct effect could put devices on the Internet of things — and generally gadgets requiring remote access — into a tough position. That’s because Bash can allow technically savvy people to reach out to devices and get back arbitrary data in response, security expert Troy Hunt told VentureBeat in an interview.

“Certainly Internet-connected stuff is going to be the immediate vulnerability,” Hunt told VentureBeat, adding that devices running versions of Bash that haven’t been updated in years could be at risk.

AI Weekly

The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.

Included with VentureBeat Insider and VentureBeat VIP memberships.

The move could have security researchers and also IT administrators scrambling for days or weeks following the disclosure, just as the Heartbleed security vulnerability did earlier this year. And because an unpatched version of Bash could lead machines to issue arbitrary commands, the potential risk of the vulnerability is much greater, Hunt said.

Researchers will be looking for evidence of exploits of the flaw, and companies could move to revoke security certificates and credentials in the wake of the revelation, said Hunt, a Sydney-based software architect at Pfizer and a Microsoft Most Valued Professional who specializes in security.

But even before that, the impact is certainly catching people off guard today.

Essentially, it’s a zero-day [threat] for many people,” Hunt said. “They’re not patched yet.”

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More