Skip to main content
image description

Security threat Shellshock

On the heels of the Heartbleed bug, another severe vulnerability has been discovered. The vulnerability affects a piece of software called Bash, short for Bourne-Again Shell, which is part of the Unix operating system upon which many other OS are built, including Linux and Mac OS. The bug, which has been labeled “Shellshock”, has gone unnoticed for decades, and researchers say that it is already being actively exploited.

The bug was discovered only yesterday and is listed by the US Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) as VCE20146271. It has been given the highest score of 10 on the Common Vulnerability Scoring System.

Linux, Unix, Mac OS X affected

Bash is the most commonly used “shell” for Linux and Unix systems and is installed by default in Mac OS X. A compact Linux system with Bash can take up less disk space than a high resolution photograph; it’s extremely popular for use in embedded systems such as routers and security cameras. Because of the long period of time in which the bug has gone unnoticed, there are likely thousands of different devices, everything from routers, printers, cameras, and even car computers that can be affected by the vulnerability.

All software packages that rely on BASH have a chance to be affected. Errata Security CEO Robert Graham has said that there are too many vulnerable packages to list, and that due to its wide spread it could be considered “as big as heartbleed”.

How you can protect yourself

Users can protect themselves by updating their systems with the latest patches for Bash and disabling remote shell access to devices that run Bash. Users that only run Microsoft systems and mobile devices with iOS and Android are not affected directly, although embedded systems (such as routers) run Linux and can be vulnerable. Individual vendors have already released patches for their systems, though a general patch has not been added to the Bash project itself.

Microsoft systems and most mobile devices do not run Bash and are not affected (this includes iOS and Android devices. Despite being versions of Unix and Linux they don’t run Bash by default and aren’t affected). Be aware that some embedded systems such as routers and security cameras may be vulnerable.

Managed routers running intrusion prevention software (IPS) may be configured in a way that mitigates risk. Make sure to keep an audit of hardware on site so that you can check the version of each device to ensure it isn’t vulnerable.

If you need any additional information or advice, please contact our support team or 604-210-0010 ext. 2.