Shellshock, or the “bash bug”, is making big news in the security scene. It’s a bug in the widely-used Unix Bash shell, causing Bash to execute commands from environment variables unintentionally.
Security-expert Robert Graham explains why this bug is bad news, especially for the “Internet of things”:
“The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.”