For users of Unix-based operating systems, there’s a new threat on the loose. The vulnerability, promptly called the Bash bug, or “shellshock,” is targeting systems equipped with Linux and Mac OS X. The bug allows remote users to execute arbitrary code within the operating system.
The Bash shell, commonly called the “Bourne again shell,” has been a consistent feature for Unix-based operating systems for over 20 years. The official security blog at RedHat elaborates how the bug in the Bash shell is taken advantage of:
In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consist of a name which has a value assigned to it. The same is true of the Bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc).
Complications can occur if the source code behind environmental variables has been altered before the bash shell is summoned. This allows arbitrary code to be disguised inside software and masquerade as something legitimate, when in reality the threat is hidden within programs and can alter the functions of the software. The most concerning way of exploiting this bug is to allow remote users to execute malicious code within the system. Due to the incredible amount of software out there which utilizes the bash shell, the potential damage this bug can cause is devastating.
Ever since the bug was revealed, hackers have been flocking to take advantage of it. There have already been several attacks utilizing the vulnerability, including denial of service attacks and botnets. Researcher Robert Graham has already detected 3,000 systems vulnerable to the bug, and estimates that the actual number of operating systems which could be attacked are several times greater. In a Twitter post, Graham says, “I think I was wrong saying that Shellshock was as big as Heartbleed. It’s bigger.”
Top security researchers are concerned, and you should be too, especially if you use Linux or Mac OS X on your business’s networks and servers. Even if you don’t, Bash script is used on a lot of mobile software, putting most Internet of Things technology at risk of compromise. In fact, the threat is so huge that the United States Computer Emergency Readiness Team (US-CERT) has issued an alert to the masses: download the patch before the Bash bug infects your systems. The last time the US-CERT issued an “alert” on their official security website was for the Backoff Point-of-Sale malware, which targeted sales terminals and stole credit card numbers from plenty of individuals across the globe.
Patches are coming in slow and steady, but they aren’t enough to keep up with the bug. While patches have been issued, the are not complete. However, RedHat still suggests that you use the partial patch until the complete one has been released. Tektonic can help your business take advantage of the patch, and we can offer you assistance with protecting your business’s network from the attack. Just call us at (416) 256-9928.