Take advantage of our commitment to Fanatical Service, enhance your Peace of Mind and get Fully Managed®.
For the second time this year, the media is drawing attention to a major security issue. It's name is Shellshock.
To set most business people at ease, Shellshock does not affect windows systems. So then why is there such a panic about this bug? The comparison to April's news on Heartbleed is an important parallel. Both are bugs in the code widely used by UNIX systems. Most systems on the Internet don't run on Windows. The systems run on various forms of UNIX. Even the Apple Mac Operating System (OS) is based on a UNIX core. The reach of this bug is also not simply limited to servers. Network devices (routers/switches), webcams, and an untold number of network connected devices run on a form of UNIX. Security labs have already seen indications that hacker groups are testing attacks based on this bug. These tests will eventually become viruses in the wild. So far, there is no clear indication of large-scale attacks or infiltrations using Shellshock as an attack vector. Heartbleed was a bug in OpenSSL, the software used to secure connections between systems. Shellshock is a bug in the command interface of UNIX.
Essentially the bug allows someone to trick a machine into running code by tagging it on to a specially formed request. This could result in the ability to force the machine to do things it shouldn't like launching attacks at other computers or allowing someone unauthorized access to those machines. The industry has been slow to address the bug since its reach is so far reaching and customized, it has been difficult to come up with a coherent strategy to fix it. Hopes are that patches start to roll out from vendors next week, but in many cases where a major vendor like Apple, Cisco, Red Hat or others have no defined ownership over the vulnerable software, there may be no fix to be had. The only likely fix long term for this could be a good network based defense.