The Shellshock vulnerability – a bug that exposes Unix-based computers (including Mac OS X) to remote code-injection attacks – burst onto the scene just in time for Halloween. It's currently spooking security experts as they scramble to install patches and secure their servers.
The vulnerability targets Bash, a command line interpreter that is common on many servers. Bash is a default program that comes with nearly all computers that have a Unix shell. Because the attack can affect data servers, its impact could be devastating.
Experts currently disagree on the potential footprint of the attack. PCMag says that only thousands of machines will actually be vulnerable, while MIT's Technology Review puts the number in the millions. This vulnerability is either the IT equivalent of a zombie virus or just a seasonal flu, depending on whom you ask. But who is right?
To be honest, we don't know. And it doesn't really matter. Regardless of the final number of machines hacked, the Shellshock vulnerability is certainly not something to treat lightly. The NIST ranked it 10 out of 10, making it among the most dangerous vulnerabilities. IT consultants need to download patches to fix it immediately.
To understand why this threat is so huge, let's take a closer look at how it works and why the nature of this threat makes it more severe than Heartbleed.
A Wolf in Sheep's Code: Understanding How Shellshock Works
Shellshock allows hackers to remotely execute code on your clients' machines. Here's how it works:
- When given an environmental variable, Bash will also execute other code included in the variable's definition.
- Hackers can put malicious code inside environmental variables, and inject the code into the helpless system.
A wolf in sheep's code, if you will.
Other threats, like Heartbleed, only expose data as it is being transmitted. Shellshock, on the other hand, takes remote control of servers, data centers, and personal devices.
And it gets worse. Because Shellshock allows remote control, hackers could use code-injection attacks to create a self-replicating worm that would move from machine to machine, leaving a wake of compromised computers. That's the zombie apocalypse scenario.
When a remote-execution vulnerability like Shellshock is first discovered, security experts see two issues:
- There is the immediate need to fix and repair the bug.
- There is the greater worry that the vulnerability could spawn new malware that spirals out of control as it affects machines whose owners are slow to update.
We're still in the initial phase, and security experts are looking to "vaccinate" or develop patches that will prevent the Shellshock vulnerability from becoming a larger threat.
IT Consultant Liability: Patches to Fix Shellshock
ZDNet reports that Apple has issued an incomplete patch that will fix OS X for the time being. More complete updates are expected for all Bash-using shells.
Vulnerabilities like this are an important reminder for IT consultants: make sure your clients install security patches and upgrades as soon as they come out. Vulnerabilities get worse the longer they're out there. Hackers build more and more advanced exploits that take advantage of these security flaws.
When a client uses old software or is slow to upgrade, they actually expose you – the IT consultant – to more risk. Because you can be sued for data breaches on a client's computer, you have a vested interest in making sure your clients' software is up-to-date.
Your clients might not understand the importance of timely patches and updates, so they could take a lackadaisical approach to their security and put off crucial updates. You'll have to teach your clients the importance of these updates, emphasizing that they don't want to be on the wrong end of a zombie-infestation on their servers.
For more tips about teaching data security to clients, see, "Client Education Resources for Fighting Data Breaches."