Shellshock Bug's Impact Could Be Huge, But It's Unclear For Now

Transcript

LINDA WERTHEIMER, HOST:

Millions of computers and networks are at risk after a security flaw, which is being called Shellshock, was found last week. Now this is not a virus. It's a bug - a mistake in code. And it turns out, it's actually been around for a while. It took 22 years to discover this bug. And the impact could be huge if the security flaw is exploited by hackers.

NPR's Elise Hu is here to explain Shellshock. So, Elise, what has security companies worried about this thing?

ELISE HU, BYLINE: Well, your computer has a type of program called a shell. And that lets you give it commands - for instance, run my web browser, open up this file, that sort of thing. Now if you use a Mac, that shell is likely a shell called Bash. Bash is where this software bug was discovered.

And since this is what runs when you give your computer commands, the worry here is that Shellshock could be used to take control of your machine. You can imagine, Linda, if - the danger if a malicious hacker were to give it the wrong command, such as delete my files or download a nasty virus. So the main concern here is that your computer could be shelled into, remotely, making users quite vulnerable.

WERTHEIMER: So what is it that has the security companies so worried?

HU: It's the wide scope of the computers and the networks affected. And the potential here for wreaking havoc for any system connected to the Internet. Shellshock, as it's been named, effects websites and computers running operating systems like Mac OS, which many of us run, and Linux. It's estimated that more than 80 percent of the Internet serves its websites on that Bash software affected by this bug.

WERTHEIMER: So do the Internet companies have to do something?

HU: They have to release patches. And since it does affect so much of the Internet, the big companies, like Google and Amazon, you don't have to worry about. They have already rolled out software patches for this. The question now is whether smaller sites and programs will patch things up quickly or leave themselves and their users vulnerable.

WERTHEIMER: So is there something that individual users, like me - is there something I should do?

HU: Well, Linda, for now know that the vulnerability does not affect Microsoft Windows users, but Mac users are more at risk here. Apple says not to worry, there's going to be an operating system update, or a patch, for anyone running the more advanced systems on Mac's. But generally, just keep up-to-date with any software updates, and update your computer and mobile devices as Apple releases those.

And for the websites you commonly use, the best way you can limit your exposure is just to use different passwords for different services. And also you can find out who's making the software you're using, and what the manufacturer is saying about the Shellshock bug so that you can better protect yourself.

But Linda, we really won't see the fallout immediately. It's likely to play out over the next few months, or even years, as the sites that don't patch themselves up and monitor their security closely could leave themselves vulnerable for a long time. And that's when a hacker could to take control.

WERTHEIMER: NPR's Elise Hu covers technology and culture for us. You can read more about Shellshock on our tech blog, All Tech Considered, at npr.org. Elise, thanks.

HU: You're welcome. Transcript provided by NPR, Copyright NPR.