The Shellshock “Bash Bag” has been described by some publications as being more dangerous than the Heartbleed bug that was discovered earlier this year. Is it true, or have the risks associated with the bash bag been exaggerated? Here’s a comparison of these two tech problems.
First, a recap of Heartbleed for those who don’t remember the story from earlier this year. Basically, Heartbleed was a security flaw that affected something like 2/3 of all web servers. Heartbleed was created as the result of a careless accident by programmer Robin Seggelmann.
Heartbleed was a flaw in OpenSSL, an open-source encryption technology. Because OpenSSL is used in the “secure” part of websites, Heartbleed was vulnerable to hackers who were looking to steal passwords or personal financial details. What made Heartbleed so scary was the fact that users couldn’t easily tell if their data had been compromised.
The video above offers an explanation of the Heartbleed security flaw that even non-techies can understand. In the video, popular YouTuber Tom Scott breaks down what Heartbleed is, using diagrams and Pokemon references to illustrate his point.
In contrast, the Shellshock “Bash Bag” is a different type of vulnerability. As Mashable explains, this bash bug allows hackers to add some malicious information to servers and personal computers. At least 3,000 systems have been affected, according to Mashable. A security patch has been issued to deal with this bug, but it may not be completely able to deal with the problem.
Ars Technica notes that the “bash” in the name refers to the GNU Bourne Again Shell (or BASH), which is used in many Linux and Unix operating systems. Ars Technica is quick to add, however, that “because of its wide distribution, the [Shellshock Bash Bug] vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous.”