First reported late yesterday, Researchers are calling a revealed flaw in Linux, UNIX, and Mac OS X as potentially bigger than the HeartBleed vulnerability reported in April of this year.
The Heartbleed bug allowed Hackers access to retrieve and review stored data, but the newly uncovered bug allows Hackers to take full control over the entire system.
The flaw allows a remote attacker to attach a malicious executable that is then executed when the open source Bourne Again Shell (Bash – a very common UNIX command shell) is enacted.
And it’s not just a single version of Bash that is vulnerable, it’s every version in use today.
The flaw, just discovered, is being reported as existing for almost 25 years, which means that it has been incorporated in both computers and devices.
Red Hat is providing diagnostic steps to test to see if your version of Bash is vulnerable. https://access.redhat.com/articles/1200223
US-CERT is also now involved, providing warnings and updates for the vulnerability.
https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability.
US-CERT is also reporting that updates are available for CentOS, Debian, and Ubuntu and a GNU Bash patch is available.
Troy Hunt does an amazing job digging through the specifics of this vulnerability here:
Everything you need to know about the ShellShock Bash bug: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
