Security experts and Linux distributors have been franticly racing to develop patches for the vulnerability dubbed as ‘Shellshock’.
The bug, which was discovered by Stephane Chazelas, is present in Bourne-Again Shell – a.k.a Bash. Affecting Unix-based operating systems such as Mac OS X and Linux, the vulnerability allows attackers to run deep-level shell commands. While the vulnerability was first thought to be a proof-of-concept, there are now reports of the bug being exploited in the wild.
Unix is underwriting such a vast array of devices that it is difficult to quantify the potential scale of the problem but initial estimates are huge. From Apache web servers to DHCP clients, the bug has the potential to be exploited across such a wide variety of systems that the numbers could dwarf Heartbleed. It is estimated that the number of impacted systems could be a thousand times that of the OpenSSL bug. Security experts are in general agreement that Shellshock is a ten out of ten in terms of severity.
The US Computer Emergency Readiness Team (US-Cert) issued a warning urging administrators to apply patches immediately. CentOS, Debian, Red Hat and Ubuntu all have patches available; however, security professionals warn that the patches are incomplete. Red Hat said that it was working on a new patch, but advised administrators to use the initial release in the meantime.
Already having a disastrous week, Apple has acknowledged that OS X could potentially be exploited and has said that a fix is on the way.
“Literally millions of websites could be open to the exploitation of the Shellshock bug,” said Professor Mike Jackson, cyber security expert from Birmingham City University. “The damage it could cause is as yet unknown. The only safe prediction is that given the number of computers which are at risk that it will be years before this vulnerability is completely eradicated.”