The impact of the Unix/Linux/OS-X Bash "shellshock" vulnerability could be greater than anything since Y2K.
That said, the panic over "shellshock," and the rush to alter Bash without extensive planning and testing, may create far greater problems.
For Y2K, we learned that the date code fixes were the easy part.
The massively more complex, error-prone, and unscheduled-downtime-producing part was discovering and correcting or mitigating the failures in other software caused by the fixes. Some of these weren't discovered until the new systems had been in production for months. A few even resulted in organizational policy changes because they were just too disruptive to actually fix at that point.
Why, after 22 years, must a great many routers, access points and computing devices on the Internet require new, largely untested, software?
... more below ...
No one is suggesting that nothing be done, and done quickly.
However, in this case, an interesting series of events has culminated in not just another run-of-the-mill vulnerability, but one demanding massive updating of systems affecting virtually every person using a computer on the planet.
This combination of factors gives one pause...
"Bash is standard on Mac OS X and many Linux systems"
Timeline...
Thus, the NSA and other security agencies are naturally alarmed about this pushback. After all, we do pay them to be hypervigilant.
Ramifications...
- The Bash shellshock "vulnerability" has been an "undocumented feature" of Bash for 22 years. In all that time, on all those supercomputers and other high-security systems running Unix or Linux, no one discovered this or thought it was a problem?
- Now, every installation of Bash in the world is about to be replaced.
- Though Bash is open-source, few people actually take the time to study the code of such large and complex programs.
- Bash is written in the computer language "C", which allows embedded assembly-language code. Code that even fewer programmers have the skills to read.
- C also easily supports treating any block of binary, such as something labeled as data or a small image, as code.
Thus, far more disruptive vulnerabilities could be introduced in the rush to fix Bash that wouldn't be discovered for quite some time.
More Resources