Last week, Red Hat security researchers discovered a bug that has been embedded in the Bash shell, a command prompt software that is widely available. They nicknamed the security risk “Shellshock” and put out the word that this bug could allow hackers to control computers on Unix-based systems like Apple’s OS X and Linux. They let the cyberworld know that, if not quickly patched, this Bash bug was a bigger threat than Heartbleed for breaking security and systems all across the internet.
Bash, which stands for “Bourne Again Shell,” was created by Brian Fox back in 1987. This command-line shell processor was built for UNIX systems and was part of the Free Software Movement that allowed people to use and redistribute the code. UNIX was the basis for much of the software that drives the internet and a hackable flaw like this puts huge parts of today’s infrastructure at risk.
Shellshock can make machines vulnerable in several ways but the main thing to remember is that the flaw opens the door for attackers to “trick” vulnerable devices into executing malicious processes and commands on the machine’s operating system. Symantec has warned that devices like routers that are running Bash may also be vulnerable to attack. Google and Amazon have also issued warnings.
Apple’s vulnerability allowed hackers to remotely control a Mac OS X or Linux machine without authorization. Mac expert, Derek Erwin, calls the Bash shell vulnerabilities “edge cases” saying that “a user would need to enable remote login privileges for all users, even guests” or to adjust their advanced UNIX settings. In essence, a person with the knowledge to expose the vulnerability is savvy enough to know not to do it.
Oracle and Cisco have been hit especially hard. While Cisco systems has identified 38 products which are not vulnerable to Shellshock, they have found another 71 products that are. Oracle issued a statement last week, letting the public know that 30 of their products are vulnerable to the Bash bug. It turns out that number was closer to 50. Oracle began preparing fixes for its Linux and Solaris operating systems immediately and has so far released nine patches that include Linux versions 4-7, Exalogic and Exalytics, Solaris versions 8-11, Database Appliance versions 2x and 12.1.2, SuperCluster, Exadata Storage Server Software, Oracle VM versions 2.2, 3.2 and 3.3, as well as their Virtual Compute Appliance Software.
Apple rolled out software patches this week for their Lion, Mountain Lion and Mavericks systems. The company issued a statement that “while most users are not affected, they have released the software patch to be proactive to fix the Bash UNIX shell from attack.” The fix is available on the website, but has not yet been pushed out to users’ Software Update tool. Apple has not offered a patch for Yosemite.
Companies like Kapersky Labs, Red Hat and Symantec are constantly on the lookout for vulnerabilities across all computer systems. Since Shellshock was discovered, Kapersky has identified and reported Bash-related attacks. Security researchers all over the world are scrambling to identify the scope of Shellshock’s threat, and determine which Internet-connected systems and devices are the most vulnerable or easily broken.
By Jenny Hansen