The Shellshock Bug: Is Your Company at Risk?

By the DynaSis Team

Have you heard of “Shellshock”―the newest computer vulnerability to hit the news? If so, you may be wondering if your firm is at risk. Or, perhaps you heard that Shellshock doesn’t affect Windows devices, so you have dismissed it as a non-event for your office. In either case, we encourage you to read this alert.

Discovered on September 12 and made public on September 24, Shellshock (also known as Bashdoor) is actually a family of bugs in a program called Bash. Written more than two decades ago, Bash is a “command shell” program―it interprets commands from users and other computers and relays them to the machine on which it is installed. Experts now believe that the bugs in Bash may have been introduced into the software code accidentally in 1992.

Bash can run on devices and systems that use the Linux or UNIX operating systems or Apple OS X, but vulnerability doesn’t stop there. UNIX is deeply ingrained into the Internet, and experts estimate that as many as 70% of Internet-connected devices run Bash. It’s also used frequently in consumer electronics, from watches to cameras.

Here are the takeaways you need to protect your firm.

• The National Institute of Standards and Technology rates Shellshock a 10 on a 10-point severity scale. (Heartbleed was a 5.)
• Firms running Windows are at risk, because a variant of Bash that runs on Windows is vulnerable, as well. Furthermore, if employees visit compromised websites, they could pick up malware distributed by the site. Firms that run web servers or have UNIX, Linux, iOS or Android devices on their network have a heightened risk of attack.
• Unlike Heartbleed, a hacker can only exploit Shellshock if the targeted machine uses Bash. Having it installed isn’t enough to result in exposure.
• It is an unsophisticated vulnerability, making it is easy for hackers to make use of it. Unlike Heartbleed it doesn’t just steal information. It takes remote control of computers and can do just about anything with them or the networks to which they connect.
• Companies that run Bash are issuing fixes and patches rapidly. Unfortunately, many of them have been incomplete or ineffective. This situation should improve over the next few weeks.
• As a precaution, companies should ensure all their software is fully updated and check to see if the websites they or their employees use have been patched.
• Internet-connected firms that have not had a network assessment (including a software audit) recently should conduct or order (outsource) one, soon. Proactive assessments, auditing and policy implementation are some of your most important defenses against this bug. (More about that in next week’s blog.)

From a broader perspective, we find it deeply concerning that a software flaw could have existed for 22 years, undetected. It makes us wonder how many other “low-level” programs―perhaps that are also deeply ingrained in the Internet or other systems―have similar flaws.

To learn more about Shellshock or to discuss proactive software updates, vulnerability assessments and/or software audits, fill out our inquiry form or give us a call at (770) 569-4600.