It feels like major security vulnerabilities are more common than ever, and there’s a big one freaking out the blogosphere being referred to as “shellshock”. It was discovered by a Red Hat security team in the Bash shell.
Security expert Robert Graham at Errata Security has been blogging about the bug saying that it is “as big as Heartbleed,” and also that it’s twenty years old. He says it’s as big a deal as Heartbleed because it interacts with other software in unexpected ways, and that unknown systems remain unpatched. He writes:
We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.
Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.
I’d suggest keeping up with his blog for analysis on the issue, as it appears to be the go-to spot at this point.
This 'bash' bug is probably a bigger deal than Heartbleed, btw.
— Robert Graham (@ErrataRob) September 24, 2014
@SteveD3 An immense amount of code interacts with the shell in some fashion.
— Robert Graham (@ErrataRob) September 24, 2014
@SteveD3 we've always known interacting with the shell is unsafe, but we've been doing it anyway
— Robert Graham (@ErrataRob) September 24, 2014
…for example, here is the bash bug in action on Mac OS X pic.twitter.com/nfDCUdRnb5
— Robert Graham (@ErrataRob) September 24, 2014
@SteveD3 After patching, it no longer matters that the variables are bad.
— Robert Graham (@ErrataRob) September 24, 2014
Here’s what the Twitterverse is saying:
Here’s an “everything you need to know about it” post from Troy Hunt, which you should probably also check out if this concerns you.