Considering the recent demo of an attack against qmail mail alias forwarding, it's starting to look like email servers are vulnerable too. The bigger problem is this is not a bug per se, as bash is a local shell doing exactly what it is being told to do. Patching will have only limited effect. The real problem is not sanitizing untrusted (network) inputs before passing data off to a parser or other program. The DHCP demo works because DHCP server reply data text was passed to network card configuration scripts which use bash, with zero sanitization. Quite a lot of programs from the late 80's and early 90's were made when university network environments were relatively trusted, so little thought to direct security requirements were done by the developers, many whom did it for free on their own time. Somehow many of these things became part of trusted internet infrastructure without serious (re)auditing, and do quirks many are afraid of doing serious rewrites (the busybox guy says this a lot, as busybox is used a lot in embedded hardware).
Heartbleed happened because the TLS heartbeat code was largely written for a Ph.D thesis by a grad student, and this seemed to be the norm throughout the OpenSSL codebase. The same sort of naive thinking and poor coding practices from the early WWW era are now facing an actively hostile internet. Which is being protected by security researchers who focused on more exotic memory bugs, when a lot of the current crop of serious issues will have come from more basic and easier to attack issues in software. Also, open source sofftware bugs as of late show the many eyes make bugs shallow concept may be a fallacy, in so much as it is a tragedy of the commons where anyone could have checked, but everyone assumed someone else did.
The upside is the actively scanning botnets have largely infected their targets already for the low hanging fruit of common CGI URL's by the end of the weekend (more like mid friday), so next week is mostly watching for more unexpected bash usage holes like the qmail bug. So by next weekend, pretty much any internet facing service with a well known port and an exploitable means to access bash will be nailed. The real horror is all the unpatched and unpatchable enterprise IT systems lurking on internal networks. Much like the slammer and conficker worms, which never seem to die away, this will probably be with us for a long time. We might be lucky that iOS and android don't seem to have easy bash related holes (yet, knock on wood)
With this, the debian APT bug, the NSS bug, and the jguery site hijack, this has been a long week for some people.
