"Shell Shock" Could Give Hackers Keys to Your Website
You might recall "Heartbleed," a password-thieving software bug that left hundreds of thousands of computers vulnerable while you pretended to understand and worry. Now we've got another source of esoteric computer dread, and it might be even worse.
Shell Shock—coined by security researcher Robert Graham—works by exploiting a piece of software called "Bash," which allows users and other computers to communicate with many Linux and Unix operating systems. This means a computer could be compromised by an outsider with malicious intent—and there those guys are everywhere these days.
This is a particularly big problem because a giant swath of the internet is built atop servers running this affected software, including your Mac (OS X is based on Unix).
This 'bash' bug is probably a bigger deal than Heartbleed, btw.
— Robert Graham (@ErrataRob) September 24, 2014
Jim Reavis at Cloud Security Alliance wonders if Shell Shock could be "worse than Heartbleed," while Graham is even less optimistic:
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.
Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.
Well, fuck. Bash can be updated with the links here, but we recommend turning off your computer for the next several months and just waiting this out.