It feels like major security vulnerabilities are more common than ever, and there’s a big one freaking out the blogosphere being referred to as “shellshock”. It was discovered by a Red Hat security team in the Bash shell.
Security expert Robert Graham at Errata Security has been blogging about the bug saying that it is “as big as Heartbleed,” and also that it’s twenty years old. He says it’s as big a deal as Heartbleed because it interacts with other software in unexpected ways, and that unknown systems remain unpatched. He writes:
We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.
Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.
I’d suggest keeping up with his blog for analysis on the issue, as it appears to be the go-to spot at this point.
Here’s an “everything you need to know about it” post from Troy Hunt, which you should probably also check out if this concerns you.