Linux users got a nasty surprise today, as a security team at Red Hat uncovered a subtle but dangerous bug in the Bash shell, one of the most versatile and widely used utilities in Linux. It’s being called the Bash bug, or Shellshock. When accessed properly, the bug allows for an attacker’s code to be executed as soon as the shell is invoked, leaving the door open for a wide variety of attacks. Worse yet, it appears the bug has been present in enterprise Linux software for a long time, so patching every instance may be easier said than done. Red Hat and Fedora have already released patches for the bug. The bug also affects OS X, and while the company has yet to release an official fix, this Stack Exchange post contains details on how Mac users can check for the vulnerability and patch it once identified.
Errata Security’s Robert David Graham has already compared the bug to Heartbleed, for its broad and potentially longterm effect on system security. “An enormous percentage of software interacts with the shell in some fashion,” Graham wrote in a blog post. “We’ll never be able to catalogue all the software out there that is vulnerable to the bash bug.” Berkeley ICSI researcher Nicholas Weaver agreed with the pessimism, saying, “It’s subtle, ugly, and will be with us for years.”