Security researchers have discovered vulnerability in the Bash shell which happens to be a widely installed command interpreter used by many Linux and Unix operating systems – including Apple’s OS X. The Shell is a piece of code that translates your commands into something the computer’s OS can understand. Shellshock leaves websites and devices powered by these operating systems open to attack.
According to researchers, Shellshock is potentially a serious biggie and widespread than the Heartbleed bug detected back in April, hence would take years to fix properly.
Unlike Heartbleed, which requires users to change their passwords for various internet services, Shellshock currently doesn’t have any easy fixes but opens a way for hackers to take over computers or mobile devices. This means by requesting almost any data and running malware, a hacker can infect any affected server which includes web servers on internet, routers and many consumer devices which uses smart systems.
Shellshock was made public on Wednesday. Patches of Bash were quickly released by Linux vendors but investigation made it clear that the patched version do not completely protect Bash from code injection via environment variables. In a update overnight, Red Hat said that is working on a new patch but advises people to upgrade to the incomplete one for now.
Robert Graham from Errata Security tested a number of web servers for the vulnerability and found around 3,000 systems are vulnerable.
To address this issue, web server admins should make sure they have the latest version of Bash. Common users are instructed to upgrade to the patches released by Red Hat and Ubuntu. Also users are warned against updating the software on their router, and even less common to update something like a smart lock, a light switch or a security camera.