In the beginning, there was Unix. And Unix begat BSD, which begat Linux which begat Red Hat (for the full family tree, see diagram here). It was powerful and open source and free…and thus became very widely used as the basis of all sorts of operating systems and computer code, including most of the web servers and other network gear out there. One of the core features of Unix is the “shell”, that little command line prompt, and the original one from 1977 was the Bourne shell, after its author, Stephen Bourne (trust me, this has nothing to do with those Bourne Identity movies…that guy is Jason Bourne). As improvements were made, the version that ultimately became used in many operating systems is the Bourne-Again SHell (BASH).
US-CERT, in typical neutral language says: “US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.” That key phrase “may allow a remote attacker to execute arbitrary code” is about as hysterical as US-CERT gets, and it means you’re in a bad way if you don’t fix it.
Earlier this year we dealt with the Heartbleed bug (one of the first attacks with it’s own marketing name and cool logo) Totally different mechanism, totally different intent (compromise passwords), and really, really bad (US-CERT was hysterical yet again). The trait that BASH and Heartbleed share is that they come from the critical open-source set of software components that are widely used across a large number of computer systems. Instead of attacking systems one by one, vulnerabilities in this class of software allow attackers access to many different types of systems simultaneously.
There has been a long-standing debate in the community whether open-source code is more or less reliable than proprietary code (the Windows operating system, for example). Because of the transparency of the code base, and the large number of people using the code and exposing vulnerabilities (along with the cost point and so forth) most software types think open source code is more reliable, and replacing this code with something theoretically better is a non-starter. So, expect more attacks in this category over time…it is unlikely that we have seen the last.