The Bash Security Flaw: Why Everyone Should Take Notice

First, it was Heartbleed. And then, during the last week of September, Shellshock became a hot topic. Shellshock is a security bug that is a potential threat to millions of computers around the world, computers that use the Bourne Again Shell (Bash) command line interpreter, a default on many Linux operating systems, UNIX, BSD and OS X. And while Windows and Android devices do not use Bash by default, they can still be vulnerable.

Understandably, this has sent ripples of fear around the globe. Considering that the vulnerability may have already been there since 1992, its recent discovery made many users think if they’ve somehow managed to avoid the threat or are simply waiting for the bug’s repercussions to manifest.

What is the Bash security flaw?

Named Shellshock but also known as Bashdoor, the fact that the bug attacks the UNIX Bash shell should more or less explain the name choice/s. The original bug was discovered by Stephane Chazelas on September 12, 2014, although the first public disclosure happened on the 24^th of the same month.

Shellshock allows attackers to execute arbitrary commands in susceptible Bash versions. This is especially relevant given the fact that many web servers use Bash for particular command processing. Unauthorized access to computer systems, stealing of user data, and website defacement are some of the results, if and when the threat succeeds in infiltrating a vulnerable computer system.

Who has been affected so far?

The most vulnerable systems appear to be computers running the UNIX operating system. However, security experts are quick to point out that the vulnerability would depend on how Bash is actually being used, thus, not all UNIX users will be affected. Macs are likewise believed to be possible targets, as well as web servers running on Linux. Versions of Apache are also being looked into.

As vendors scramble to roll out patches to stay ahead of malicious individuals, a number of entities were reported to have been successfully infiltrated. The likes of Yahoo, WinZip and Lycos, were reportedly hit by the bug. Yahoo’s earlier confirmation that some of its servers were affected by the Shellshock bug was later retracted by Alex Stamos, Yahoo’s chief information security officer, blaming the occurrence to a completely different vulnerability.

The security patches offered

A number of patches to plug Shellshock are now being offered. Apple has issued an OS X Bash Update 1.0 for OS X 10.9 Mavericks, OS X 10.8 Mountain Lion, and OS X 10.7 Lion. A security researcher, however, maintains that the patches released for Macs are incomplete, as they fail to plug a vulnerability that could allow for DDoS (distributed denial of service) attacks. The company maintains that OS X systems are safe by default unless advanced UNIX services have been configured by users. After update installation, Mac users are encouraged to check if their systems’ flaws have truly been fixed.

Long-term consequence

The biggest challenge with Shellshock lies in the big number of devices where Bash is embedded. According to a CNET article that quotes Rapid7’s engineering manager Tod Beardsley, “Shellshock is extremely dangerous because it’s easy to exploit and can give hackers the ability to take over Macs.” A Sophos infographic also shows that once a system is infiltrated, cybercriminals gain full access of a web server to distribute malware and steal data, launch DDoS attacks, and compromise other computers.

The Bash security flaw just made it clearer that attackers need not have physical access to computers to introduce widespread havoc. And with Shellshock, as reported by CloudFlare, “it removes the need for specialized knowledge, and provides a simple (unfortunately, very simple) way of taking control of another computer (such as a web server) and making it run code.”

Web security vendor Incapsula reports on September 29, 2014 that in the four days since the disclosure of the Shellshock bug, its web application firewall deflected more than 217,089 attempts on over 4,115 domains, and that the average attack rate has climbed to over 1,970, nearly double the previous rate.

While not all-encompassing in nature, Incapsula’s statistics tell us that any vulnerability will be explored to the hilt and subsequently used on unsuspecting victims. If there is any positive consequence that should come out of this, it is continued vigilance and awareness in securing one’s system.

Security awareness

Not only because October is National Cyber Security Awareness Month should we be extra careful with our online transactions and system use. Security awareness during these very risky times is a must, whether a security flaw has been discovered or not. What Shellshock has managed to emphasize is the fact that we cannot afford to be overly secure even with systems that have been serving us for a long time. We can protect ourselves mainly by avoiding obviously risky circumstances. All the rest, we take care of by common sense and continuous education.