On September 24, 2014, the Shellshock bug was discovered, exposing vulnerabilities in Unix and Linux machines. The aftermath of the Shellshock bug has continued to stay in headlines as a wave of new vulnerabilities have emerged.
Threatpost’s Michael Mimoso explains that Shellshock has been actively exploited: “Analysis into the vulnerability and Bash behavior once it was patched gave birth to a half-dozen vulnerabilities in all, each with a different degree of severity.”For example, “Mayhem,” a type of malware that was discovered in April, is now using Shellshock as a way to infect servers.
“In the past, the malware used a PHP script to infect servers, but the latest version uploads a script in the Perl programming language via the Shellshock vulnerability,” said eWeek reporter Robert Lemos.
Some speculate that Shellshock may be worse than Heartbleed, but many experts believe that the worst of Shellshock is already behind us.
Tom’s Guide’s Marshall Honorof explains that the “bottom line is that while a very enterprising malefactor could use Shellshock’s tricks to affect a Windows system, system administrators can take prophylactic measures against it, and everyday users don’t have to worry about it. With fixes for the various affected Unix-like operating systems already being deployed as well, Shellshock’s potential impact should continue to diminish over time.”