Remember Heartbleed? That oh-so-terrible security vulnerability that had pretty much every major site you visit on a daily basis asking you to change your password?
Well, there’s apparently something worse: Shellshock — or the Bash bug. Much like Heartbleed, neither name really does much to explain what it is, so we’ll try our best.
Bash, or Bourne Again Shell, is a utility found in many Linux and Unix operating systems, which is exactly what’s so problematic about it. (Video via YouTube / Kris Occhipinti)
While the vast majority of folks don't use Linux as their main operating system, many many devices do use Linux as their base operating system such as your television or even your thermostat. (Video via YouTube / TheLinuxFoundation)
All of which, are vulnerable to a hacker who only needs to add some extra code at the end of a normal Bash command line. That code is then executed, leaving your perfect room temperature open to malicious attacks.
A hacker would generally need high-level security access to take advantage of the bug, although the Red Hat security team notes certain services or applications allow remote unauthenticated access, which an attacker can exploit.
The bug was discovered by a French software developer Wednesday and patched the same day, which is great if your Bash version gets updated. But, according to security researcher Robert Graham, there’s plenty of software which doesn’t get patched:
“Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.”
Graham was one of the first to draw a comparison to Heartbleed, saying Bash is probably a bigger deal due to its ubiquity and how long it's likely to be a problem.
A writer at ZDNet says the sooner a person using Bash can take preventative measures the better. “This is not a bug to fool around with. It has the potential to wreak havoc with your systems. Worse still, a smart attacker could just leave malware mines behind to steal data after the fact.”
A writer at Gawker expressed the same pessimism, albeit a little more tongue-in-cheek, recommending “turning off your computer for the next several months and just waiting this out.”
If you're worried about your gadgets, be sure to update your Bash shell and keep yourself posted on the latest info concerning “Shellshock.”
This video includes an image from Getty Images.