A new malicious threat to all businesses IT systems and the data they contain has just been discovered. The bug, dubbed the Bash bug, or “shellshock,” is threatening users of Unix-based operating systems, like Linux or Mac OS X. It allows the execution of arbitrary code on affected systems, and could potentially be disastrous for your business. In fact, CNet is calling it “bigger than Heartbleed.”
Bash, which is commonly referred to as “Bourne again shell,” is a staple feature of most utilities in Unix-based operating systems. RedHat’s official security blog details the nature of the bug in the Bash shell:
In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consist of a name which has a value assigned to it. The same is true of the Bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc).
The problem posed by Bash is found in the environmental variables with specific values being used before the bash shell is summoned. These variables can contain code which is executed as soon as the bash shell is called. The name doesn’t matter, so the content could be disguised as another, non-malicious variable. The most troubling vulnerability this bug exploits is the ability for remote users to execute malicious code before the bash shell is activated.
Attacks have already been reported that have taken advantage of this vulnerability for a number of functions, including denial of service attacks and password-guessing bots, which randomly input poor password choices on unprotected servers. Researcher Robert Graham, by executing a fairly specific search, has located at least 3,000 systems vulnerable to the bug and it is estimated that many times that number could be vulnerable to this bug. This makes the threat very real, and if you use Linux or Mac OS X, your business’s networks and data are at risk.
The threat is so widespread and immediate that the United States Computer Emergency Readiness Team (US-CERT) has warned the public to download the patch to defend against Bash before it infects their systems. To put this threat in perspective, the last vulnerability to make “Alert” status was the Backoff Point-of-Sale malware discovered in late July this year, which was able to steal sensitive information through sales terminals across the world.
While a patch has been released, it doesn’t protect against all the vulnerabilities targeted by the bug. However, it is still recommended by RedHat that you acquire the partial patch until the complete one has been issued. For help acquiring the patch, call Quikteks at (973) 882-4644. We’ll apply it remotely so you have to worry as little as possible.