Shellshock is newly discovered vulnerability in software that’s in computer systems we use everyday. It’s kind of like Heartbleed, the Open/SSL bug that scared everyone senseless a few months ago and remains unpatched on thousands of systems. According to some experts, however, Shellshock could be way worse, and it’s been around for decades.
Shellshock affects a piece of software called Bash. Bash is a “Unix Shell,” a command line interface that allows a user to talk to a Unix based system. Originally written in 1980, Bash has evolved from a simple command line interface into one of the most widely used utilities out there. Even though you probably don’t see Bash daily, there’s a good chance that it’s running in the background on your system. OS X and Linux both use Bash, and it has been ported over to everything from Windows to Android.
Discovered by a team from the open source software company Red Hat, the Shellshock bug allows attackers to inject their own code into Bash using specially crafted “environment variables” that have Bash functions in them. (Red Hat’s servers were having problems, here’s a cached version of their explainer.) [Read more…]