In a time where it is said that a bank is hit by a cyber attack every minute, the recently discovered Shellshock bug, derived from the UNIX Bash shell, has had UNIX and Linux system users scared for the safety of their accounts. The problem is that the bug affects more people than first thought. Patrick Brusnahan investigates
The Shellshock bug, also known as Bashdoor, was disclosed in September of this year and revealed that cyber attackers had found a vulnerability in the Unix Bash shell. This vulnerability allows hackers to gain unauthorised access to a computer system. Crucial systems, such as web servers, could now be controlled remotely by attackers.
The National Vulnerability Database rated the bug as 10/10 for severity, as well as 1/10 for complexity. This is means that not only is it dangerous, but very easy to use, similar to the Heartbleed bug this year which theoretically allowed attackers to take over websites.
Unlike the recent Heartbleed bug, which was only really capable of stealing information, Shellshock allows remote code execution, allowing an attacker to exploit the vulnerability for malware distribution. Ziv Mador, vice president of security research at Trustwave, says: "I think it’s a fair comparison. There are some similarities in that both of them were in basic components that were used in many server products which it a difficult situation because, suddenly, many different products are vulnerable and affected. In this case, it’s much more fragmented as many different vendors or products can be affected and all of them have to release updates so that makes it more difficult for administrators to make sure their environment is completely secure."
There were concerns from Apple users that they could be at risk as OS X uses the bash shell, despite Apple announcing that ‘the vast majority of OS are not at risk.’ Soon after, a patch was released, but it has been reported that it is incomplete and does not cover all strains of the Shellshock bug.
The time it would take to fully patch against Shellshock varies. Lee Weiner, senior vice president of products & engineering at Rapid7, said: "It’s really on a case-by-case basis. I think, for a large organisation, it could be months."
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataNot only is the future uncertain, but the past as well. The Shellshock vulnerabilities have been around since approximately 1992, leaving over 20 years of it being undetected. Weiner said: "It’s likely that this has been around for a while and one could speculate that it has been used in the wild to conduct attacks at some point."
This is the latest threat to electronic banking’s security. This month, a cyber attack was able to access information for approximately 83 million JPMorgan Chase customers. Cyber security company Symantec found that over 1,400 financial institutions has been targeted by Trojan viruses in 2013.
U.S. regulators, including the FFIEC, have urged banks to quickly fix their software in order avoid possible fraud exposure. On whether the impact of Shellshock would be felt more by banks or their consumers, Weiner said: "From a pure commerce standpoint, I wouldn’t tell people to cut up their credit cards. I think there’s enough protection in most banks today to determine when fraud has occurred and alert the end user. I think the real risk is for corporations around stolen data. It’s not that the end user couldn’t be impacted, because they could be, but I think the broader impact is for corporations."
The final unexplored possibility is that Windows users could actually be affected as well. Mador said: "Windows users might be affected as well. Windows by itself is not as vulnerable as far as I know because it does not use Bash, but it is possible to use some programs that have that same functionality on Windows. For example, Sygwin. That application is vulnerable. It simply means people have to go through their entire network and find out which servers are vulnerable and take action."
A dummies guide to Shellshock
Bash, an acronym for Bourne Again Shell, is a command-line shell. This lets users issue commands to launch programs and features within software by typing in text. It’s typically used by programmers and shouldn’t be open to the wider world, though Shellshock changes that.
Mac OS X users can run it by opening up their Terminal, as can anyone using the Linux operating system by launching the same machine. Linux and Mac OS X are largely derivatives of the Unix OS, so share some features.
The 25-year-old vulnerability is related to the processing of what are known as "environment variables" in Bash, which provide a way to influence the behaviour of software.
The Bash bug, discovered by the Linux expert Stéphane Chazelas, is causing concern as the command-line interface is used by many popular tools to run those environment variables.
In theory, an attacker could exploit a machine running Bash by forcing it to set specially crafted environment variables. This could then be further exploited to let them execute shell commands, ie run programs on other people’s computers. That’s endgame for the victims – their machines would in effect be in the control of the hacker.