Judging by the names alone, you can tell you wouldn’t want Shellshock or Heartbleed to happen to you. But in comparing the two near-universal security holes, Shellshock is probably in a better position to get patched up.
That’s because Shellshock is a Linux vulnerability, and Linux has an army of coders at its disposal. Heartbleed, by comparision, was arguably a byproduct of the lack of support that the OpenSSL Project was receiving — and it reminded us of that weakness of open-source work. If no one’s funding it, and coders aren’t crusading to work on it for free, a project languishes.
We covered this in an interview with Martin Winter about Quagga, the open-source router that’s being used by some very big companies. But those big companies don’t give back to the Quagga project in return — no money, no coders, not even modified code.
OpenSSL wasn’t quite in that boat, but the problem had the same origin: a lack of support. The Linux Foundation has since started a fund to make sure crucial elements such as OpenSSL can get some help.
None of this is to diminish the threat of Shellshock. As Wired reported yesterday, a few lines of code open the possibility of running an unauthorized program on someone else’s Linux server. (How much the vulnerability applies to other types of Linux appliances — switches, for instance — wasn’t immediately clear.)
ZDnet is reporting that exploits really are happening. Security vendor Trend Micro is suggesting turning off BASH scripting, although really, it’s sounding like the vulnerability can be patched rather quickly.
At least Shellshock is now a known quantity, and plenty of resources will be available to patch it up; the fix is apparently pretty simple. Even so, this episode should be another reminder that open-source code is only as good as its supporting community makes it. OpenSSL, Quagga, and others could still use that support.