The papers are full of the Bash/Shellshock bug, claiming that “the virus is even worse than Heartbleed” and describing it as the “Catastrophic flaw which may threaten the security of millions of devices” (courtesy of the Daily Mail). At 2-sec though, we like to look at the facts before predicting doom and gloom on the general populace. Here’s our take on the subject.
Background: Bash is the software used to control the command prompt on many Unix computers. It’s claimed that the bug may pose a threat to computers using Unix-based operating systems including Linux and Apple's Mac OS X – and in turn, could spread to Android, Windows and IBM machines plus all internet-connected devices.
How does it work? Bash allows hackers to read information, edit, delete or copy files, and run programmes. All of this can take place without the user knowing. The general fear is that the bug could allow hackers entry to every internet-enabled device at home, as once it has access to an internet connected device, it can jump onto others. Heartbleed in comparison, only allowed cyber criminals to spy on computers, rather than taken control of them.
Can it get past antivirus? If a company has strong antivirus programmes surely this will stop Bash? Well no, whilst antivirus software and firewalls are the basic line of defence for most organisations, they’re not going to be able to stop the attackers getting in this way.
Solution: The only solution is to update internet facing devices that are vulnerable with a patch. And this can only be done by website or server owners.
Don’t Panic! However….the Bash bug has been around for a long time and there haven't been any reports of real-word attacks. Also, if you are an advanced enough user to have enabled the types of services that can be exploited by Shellshock, you’re also likely advanced enough to turn off those services for now, or to patch yourself.
Apple’s response: Apple has provided a statement explaining that “The vast majority of OS X users are not at risk…With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.” That update is now available via a download posted on Monday night.
Our take: stay informed, but don’t panic. Let the companies you visit online that you are worried, and take note of their response. Most people aren’t at high levels of risk, and there is no real reason for significant concern at this point. Companies need to work with their security vendors to get an explanation of this vulnerability, their likelihood of being contaminated and how to install any available patches.