We are waiting in the calm before the storm

201404131000-storm

The Shellshock exploit went public yesterday with reports on most major news sources within hours of it's disclosure (which was faster than Heartbleed earlier this year). Although a patch was issued a little while after, it was later found that it wasn't enough to stop the exploit. As of a few hours ago we saw a revised patch released, which some have claimed still doesn't fix the issue at hand. With its severity as well as the limited reports of infection/scanning, one could say that we are in the calm before the storm. It is possible that mass damage has already been done, with compromised machines left dormant waiting for the right moment.

This won't be an extinction event of Skynet proportions, but there will be some chaos and confusion as modems, routers, webcams, NAS and other devices with proprietary firmware fail to get updated in a timely manner. There is no easy solution to this problem. There was a comment on Robert Graham's post "Bash 'shellshock' scan of the Internet" that may have sounded silly to most, but it actually had merit as well as history behind it.

Can someone just write a worm that updates peoples bash shells?

We could, and it has been done in the past. Welchia was released to try and remove/patch victims of the MSBlast worm in 2003. The legal implications in doing this are not clear, but its safe to say that government organisations would not be happy if you were to "fix" one of their machines without permission. Another side-effect of this sort of exploit that I'm expecting to see is an increase in Tech Support Scams. They plague us enough as it is but with this exploit they have a valid new angle to target unsuspecting computer users. The media’s quick publication of this widespread issue may in fact harm more than it helped.