You heard about Heartbleed, right? That nasty cyber-security bug that really caught people off guard this past April.
Well, it looks like Heartbleed has an even stronger friend that surprised users in late September – they’re calling it the Bash bug, or Shellshock. The original bug was discovered by Stephane Chazelas on Sept. 12th, although the first public disclosure happened on the 24th of the same month. When accessed properly, the bug allows for an attacker’s code to be executed as soon as the shell is invoked, leaving the door open for a wide variety of attacks.
Errata Security’s Robert David Graham has compared the bug to Heartbleed in a recent blog post, writing, “Unlike Heartbleed … this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug.”
As of now, the most vulnerable systems appear to be computers running the UNIX operating system. However, security experts are quickly pointing out that the vulnerability depends on how the bug is actually being used, and not all UNIX users will be affected.
Graham added that the reason this bug could be worse than Heartbleed is that the bug interacts with software in unexpected ways, and while the number of systems that need to be patched is larger than Heartbleed, many systems won’t be patched because the vulnerability will likely go unnoticed.
However, Graham wrote that there’s little need to rush and fix the bug, adding: “Your primary servers are probably not vulnerable to this bug. However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a Bash patch. And, since most of them can’t be patched, you are likely screwed.”
Well, now that we’re all sad and a little depressed, the question remains: “What can I do?”
The reality is that the breadth of this bug isn’t fully understood yet, it’s still fairly early. However, understanding how the bug works, if your system is vulnerable and how to apply the right patch are the best steps to take right now.
Staying in the know about how this bug might affect your information and seeking out helpful tips are crucial for you systems and your state of mind.