A new vulnerability has been discovered that some are calling bigger than Heartbleed. This one, called Bash or Shellshock (I’ve seen it called both equally), affects Linux, Unix and Mac OS X. Bash is a popular and frequently used system shell. As explained in an Ars Technica article:
The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
One of the reasons this is so serious, Alan Dundas, vice president and product architect for Authentify, told me in an email, is because the Linux bash shell is everywhere. Many of the devices within the spectrum of the Internet of Things have Linux roots, and they weren’t designed for patches or to detect and prevent malware.
This could lead to some serious security problems in ways we aren’t used to, as Kaspersky Lab’s Securelist blog pointed out:
This vulnerability is unique, because it's extremely easy to exploit and the impact is incredible severe – not least because of the amount of vulnerable targets. This does not just affect web servers, it affects any software which uses the bash interpreter and reads data which you can control. The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points.
While it has the potential to create some very serious security headaches, Steve Durbin, managing director of the Information Security Forum, doesn’t think we are headed for disaster just yet. He told me in an email:
The Bash vulnerability simply stresses the point that there is no such thing as 100% security and that we all need to take a very circumspect and practical approach to how we make use of the devices that we use to share data both within and outside the home and our businesses. Whether or not this will lead to a wave of cyber-attacks, I have my doubts, but that is not to say that the vulnerability shouldn’t be taken seriously and it is incumbent upon all of us as users to guard our data and take all reasonable precautions to ensure that we are protecting our information as best as we are realistically able.
The test to see if your system is affected by this vulnerability is included in the Ars Technica article. Patches are also available.
This story hit me pretty suddenly, I’ll admit. I was ready to write a blog on a totally different topic when my son sent me a message asking if I had heard about this new vulnerability on Linux. Within minutes of that message, I saw information flooding my Twitter account and my inbox. I’ll keep up on this and report back as I learn more. How this will affect the Internet of Things is going to be a story to watch.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba