Shellshock is newly discovered vulnerability in software that’s in computer systems we use everyday. It’s kind of like Heartbleed, the Open/SSL bug that scared everyone senseless a few months ago and remains unpatched on thousands of systems. According to some experts, however, Shellshock could be way worse, and it’s been around for decades.
Shellshock affects a piece of software called Bash. Bash is a “Unix Shell,” a command line interface that allows a user to talk to a Unix based system. Originally written in 1980, Bash has evolved from a simple command line interface into one of the most widely used utilities out there. Even though you probably don’t see Bash daily, there’s a good chance that it’s running in the background on your system. OS X and Linux both use Bash, and it has been ported over to everything from Windows to Android.
Discovered by a team from the open source software company Red Hat, the Shellshock bug allows attackers to inject their own code into Bash using specially crafted “environment variables” that have Bash functions in them. (Red Hat’s servers were having problems, here’s a cached version of their explainer.)
Without diving into all the technical nitty-gritty—some of which you can find here—what you need to know is that the bug leaves unpatched systems open to a variety of malicious and remote attacks. Bash is commonly used by web servers, so in theory it could be used to take over entire websites. Internet connected devices like web cams are similarly vulnerable. But worst of all, since there’s a decent chance your computer is running Linux in the background, an attacker on your network could use the bug to extract personal information from your machine.
But the main reason people are comparing Shellshock to Heartbleed is that the distribution of the bug is unknowably vast. Bash is baked into so many systems and has been around for so long that in all likelihood, the bug will never be fully fixed. This is vulnerable software that has been spreading across the technological world for years and years.
Read the full article here… http://gizmodo.com/why-the-shellshock-bash-bug-could-be-even-worse-than-he-1639047786/+whitsongordon
Credit – Gizmodo