Security researchers have unveiled that they’ve discovered a vulnerability that affects both Linux-based or Mac computers that could possibly prove even worse than Heartbleed, a previously found security bug that also caused large-scale concern in the industry.
The new bug, called Shellshock, affects an application called Bash which is one of the most installed shells on Linux systems. A shell is a program that receives user commands and translates those commands into code that either the OS or application can understand and then run. The vulnerability enables individuals to insert malicious commands and code into the process and run it as soon as the shell starts which makes it susceptible to a wide variety of attacks.
The reason this bug is so dangerous is mainly because of the high usage of the Bash shell in both Linux-based and Mac OS X machines which not only include user devices but also web servers and programs that users access every day. This fact alone already makes Shellshock more widespread and dangerous than Heartbleed. Another issue is that since so many different Linux/UNIX-based applications use Bash it’ll prove almost impossible to determine if every instance of the vulnerability has been patched.
Researches at Red Hat have said, “This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.”
Many Linux developers like including Red Hat, CentOS, and Debian have already released patches for Bash to try and fix the issue but due to how widespread it is there could still be some devices or web servers that remain vulnerable to the bug. It is also an issue that users may not directly be able to fix the vulnerability and may have to rely on their web administrators to update and secure their web servers some of which are unmaintained or outdated.
According to Errata Security’s Robert David Graham, Shellshock could be an issue for years to come saying, “We’ll never be able to catalogue all the software out there that is vulnerable to the bash bug.”