While the world is trying to mop up the mess that Heartbleed left behind, along comes another vulnerability that might be just as big. Dubbed “Shellshock” because it affects the Bash shell commonly found on Linux computers, and (this may surprise you) some Mac OS X servers. “Shells” are the technical term for the user interface of a computer, something you may know as a “GUI” (sometimes pronounced “gooey”, an acronym for graphical user interface). In this case, Bash is a text-based user interface that has been in use on Unix & Linux machines since 1989. What makes Shellshock so alarming is the ease of which could be exploited by hackers, the scope of hacks which could come from exploiting the weakness, and the number of machines potentially vulnerable to this bug.
What this means for you:
Unless you run a Linux or Mac OS X Server, most folks could be affected by this the same way they were exposed with Heartbleed – anyone who uses the internet has probably visited a site or used a service that is run on Linux-based webservers, and a large percentage of them probably use Bash. Security firms have already discovered attacks “in the wild” attempting to exploit un-patched servers, and due to the pervasive access a command line interface has to the computer’s operating system, any number of system compromises can be executed once the hacker has control of the Bash shell. In other words, if an internet service you use gets “Shellshocked”, any data they may be storing about you on their servers could be exposed. For now, unless you are a server administrator, there’s not much you can do, other than inquire with your critical providers whether they have taken steps to protect against the Shellshock vulnerability.