This is a great article – Published September 29, 2014 Info-Security
Written by Phil Muncaster
Last week the information security world was rocked yet again by a major vulnerability in a little known piece of software that could have severe ramifications on the security of large swathes of the internet.
The so-called ‘Shellshock’ bug shares more than a few similarities with the infamous Heartbleed flaw, which rattled the net back in April this year. Some experts say it could be even worse, while others caution that the exploit paths are too complex to make sweeping judgements about it quite yet.
So how scared should we be?
Back to Bash-ics
The Shellshock vulnerability itself, CVE-2014-6271, was discovered by an Akamai researcher, Stephane Chazelas. It will allow an attacker who tries to pass commands to an extensively used shell called Bash (the Bourne Again Shell) to execute arbitrary code. The US national Vulnerability Database has given it the highest severity rating – 10/10 – claiming that it does not require authentication to exploit and allows unauthorized disclosure of information, unauthorized modification, and disruption of service.
For those still bemused, the reason this particular vulnerability could be so dangerous is because of the ubiquity of Bash. A huge number of web-connected devices, web servers and web services run on Linux versions running it. In particular, hugely popular Apache web servers running CGI scripts are at risk, as are even “email clients and web clients that pass files to external programs for display such as a video file or a sound file,” according to Jim Reavis of the Cloud Security Alliance. What’s more, the bug has been around for 25 years so there could be large numbers of unknown and unpatched systems which could yet disrupt corporate security strategies.