The injuries of Heartbleed bug are probably still fresh as the bug affected Internet users for a long time and remain undetected. However, once discovered, it proved to be fairly easy to patch up back end servers and secure users with simple extensions helping them to see if some website remained affected. While the Heartbleed made many a people wonder about the concept of security in the digital world, a new bug will perhaps take this insomniac worry to a new level. A new vulnerability has been discovered in the Bash shell, one of the most widely installed utilities in Linux. Termed as Bash bug or Shellshock, the vulnerability might not be as easy to fix as Heartbleed and has possibly affected longer than the former bug.
Bash bug vulnerability:
Linux Bash bug has been uncovered by the Red Hat security team which is being called a "subtle but dangerous bug." This Linux Bash bug comes from the immense usage of Bash utility which is often called by a lot of programs in the background and provides a shell to a remote user along with other possibilities like limited command execution support. Considering the presence and possibility of invoking Bash, the vulnerability then arises when the hacker creates special values before calling Bash shell. These values can be any code that get executed once the shell is called, exposing the system.
Red Hat explains that the vulnerability is caused by the fact that it is possible to add extra code to the end of the function definitions inside the environment variable and can be patched by ensuring that no code is allowed after the end of a Bash function. However, fixing will not be such an easy feat. Linux Bash bug has been present in the enterprise Linux software for quite a long time making patching a difficult job. This has been described by Errata Security:
Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.
Shellshock also reportedly affects the OS X, however, no official fix is yet released for the Mac users. Potentially as disastrous as Heartbleed bug, Linux Bash bug or Shellshock will be with us for years to come as it would be a difficult job to analyse all the software that is vulnerable to this bug. Errata's Robert Graham went on to call it even more dangerous than Heartbleed, "This 'bash' bug is probably a bigger deal than Heartbleed, btw".
- Source: Red Hat