Heads-Up, Mac and Linux Bash Shell Vulnerability Could Leave You ‘Shellshocked’
It's being called a worse threat than Heartbleed, but unlike Heartbleed, "Shellshock" can affect home users just as well as servers. The bug is tied to the Bash Unix shell, one that's pretty much de facto in Linux, and can be found in all Mac OS X releases. While you'll be in a Bash environment whenever you open up a terminal, there are many cases where Bash will run in the background as well - such as with SSH, which constantly listens for connections.
The bug was reported to Red Hat last week and published just yesterday. The report reads:
"A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue."
As Shellshock is being treated as a severe threat, Red Hat is actively working on issuing a proper patch. An initial patch has already been released, but it's being said that it's not perfect yet. For Mac OS X, users will have to wait for Apple to issue a patch; for Linux, users will have to wait for an update to become available. I wouldn't expect for that to take too long; in my distro of choice, Gentoo, patches have already been released for multiple versions of the Bash shell.
Because of the severity, anyone administrating a Linux server would be wise to continually check for updates - or, if you're well-versed enough, switch over to a different shell for the time-being. Hopefully by now, you'll see a patch and won't have to go the latter route.
While Shellshock is going to be patched up rather quickly on PCs and servers all over the world just as Heartbleed was, if there's one thing that bug has taught us - there's no doubt that there will remain many vulnerable systems in the months ahead.