A Red Hat security team discovers a dangerous bug in the Linux bash shell-- "Shellshock", a flaw providing an open door for hackers to run unauthorised code on Linux servers.
The bash shell is a Unix mainstay allowing computers to interact with the OS. Exploiting the Shellshock vulnerability only requires connection to a software such as PHP or DHCP, before the application of 3 lines of code.
According to some security experts Shellshock is possibly bigger than Heartbleed-- while the earlier vulnerability only affected a specific OpenSSL version, Shellshock has been around for a long time, and thus affects old devices. Internet-of-Things devices such as security cameras are also vulnerable, as their software is built on web-enabled bash scripts.
"There's little need to rush and fix this bug," Errata Security CEO Robert Graham writes. "Your primary servers are probably not vulnerable to this bug. However, everything else probably is."
Graham adds Shellshock is not as pressing as phishing attacks, but is present in more systems, makes it easier to run malicious software on vulnerable systems and is harder to track down.
"[S]aying "as bad as Heartbleed" doesn't mean your website is going to get hacked tomorrow, but that a year from now we'll be reading about how hackers got in using the vulnerability to something interesting," Graham continues.
Either way, one still needs to patch the bugs on possibly vulnerable server-- an easy enough task according to CloudFlare, who says it fixed 95% of its servers in 10 minutes. That said, as mentioned earlier bash is present in countless software packages, and as Heartbleed vulnerabilities persist to this day, so will Shellshock.
