Since the announcement of the Shellshock Bash bug yesterday, there has been a lot of confusion on what this is, and how it may impact people. At the high level, it impacts bash, which is a “shell” program for systems running on some flavor of Unix such as Linux. For those who are interested in the details, please visit the links in the reference section. In this post we want to discuss how Shellshock impacts different groups and what can be done:

Enterprises

Many enterprise systems run on some variety of Unix/Linux, therefore all enterprise companies are likely to be impacted by Shellshock in some way. Your system administrator will need to remedy this vulnerability by applying patches. Below are links to Linux vendors that have provided information to mitigate Shellshock:

• Debian: https://www.debian.org/security/2014/dsa-3032
• Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
• Red Hat: https://access.redhat.com/articles/1200223
• CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
• SuSE: http://support.novell.com/security/cve/CVE-2014-6271.html

Small Businesses

For small businesses, the biggest risk is in the security of the company website. If you are a small business, you’ll want to make sure the web server you use isn’t impacted. For those who have root access to their system, you can use one of the links above to fix the issue. Otherwise, check with your web hosting company to make sure the web server your website is sitting on are either safe or get patched up.

Consumers using Microsoft Windows

For one of the few times that I can remember, this vulnerability does not impact the Windows system. So, if you are like the majority of people who are on Windows, congratulations, there is nothing to worry about.

Consumers using Apple Mac

Most reports have indicated that the Mac OS X does use bash, so yes, this vulnerability can potentially impact Mac users. Apple has yet issued a patch. Within the last two hours, iMore has quoted an Apple spokesperson as saying,

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,…With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

Based on this, regular Mac users should not panic and simply update the software update when it becomes available.

Beware of Phishing Attempts

One important thing to keep in mind is that you are likely to receive emails purporting to have come from software vendors asking you click on a link to download a patch. Do not click on the link unless you can verify the authenticity of the email. An easy way to do this is by mousing over the link to see if the destination URL contains the expected domain name. If not, it is a phishing attempt and you should delete that email.

Internet Of Things

In the movie “Independence Day,” when our hero uploaded a virus into the alien mother ship, it not only caused the mother ship to unable to use the protective shield that even an atomic bomb cannot penetrate, it caused all the other objects under alien control to lose that capability, too, and that led to the the eventual destruction of the aliens and victory to humans. When everything is connected via the internet, a vulnerability that can be easily exploited can potentially do as much damage to humans.

Indeed, the Shellshock bash bug serves as a warning on how much risk we are potentially facing in an internet of things world. When everything is running on a chip and everything is connected, any vulnerability can potentially have a huge impact. The lesson here is we need to make sure security is a top priority as we head towards a world where everything is connected.

Resources:

• http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
• http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability