Shellshock! Are You Vulnerable?
A serious flaw was recently discovered in software that's found on untold millions of web servers. But desktops, laptops, smartphones and other devices may be vulnerable to the “Bash Bug” as well. Read on to cut through the hype and find out whether you need to take action...
Bigger and Badder than Heartbleed...
Forget about Heartbleed, you’re about to get Shellshock from the Bash Bug. Another flaw in an open-source program commonly used in just about everything was announced on September 24 by its discoverer, Unix specialist Stéphane Chazelas. The new flaw is being called both “Shellshock” and “Bash Bug.” (I wrote about the Heartbleed flaw in my article A Gaping Hole in Internet Security.)
The bug exists in the “Bash” command shell, most commonly found on computers that run some version of the Unix operating system. Some early stories predicted the end of the world as we know it, but I've waited a few days for the dust to settle, so I could gather the facts and deliver them here.
There's no doubt this flaw is a doozy. The National Institute of Standards and Technology (NIST) rates its danger level at a 10 out of 10; the Heartbleed bug got only a five. That’s because Heartbleed only enabled eavesdropping on data flowing through a compromised machine, while Shellshock enables an attacker to take control of a device and do whatever he wishes with it.
Also, the Heartbleed bug affected only web servers, while Shellshock is estimated to exist in 70% of all devices connected to the Internet. Finally, the Shellshock flaw can be exploited via “worms,” self-replicating malware packages that spread like wildfire from one networked device to all others it touches via the Internet.
Who Needs to Worry?
Shellshock is primarily a Unix bug. But in addition to web servers, lots of other computers run some variant of Unix, including Mac OS X, iPhones, iPads, Android-powered phones and tablets, internet routers, streaming video boxes, and scores of other gadgets. The Bash software can even be installed on Windows computers.
Just about any device with the word “smart” in its name runs some form of Unix and could contain the Shellshock bug; smart watches, smart coffeemakers and refrigerators, smart home automation modules, even smart utility meters. So yes, the Shellshock bug probably exists in devices all around you, and in devices to which your devices connect.
HOWEVER... if you're a typical home computer user, there's nothing to worry about.
Windows computers don't come with the Bash software. You'd have to install it purposely, and you'd probably do that only if you were a Unix software developer. So computers running Windows should not be affected.
If you have an Apple desktop or laptop computer running Mac OS X, there's a small chance you might be affected, because OS X is built on Unix. But only those who use the "advanced Unix services" that are built into OS X need be concerned. So again, if you're not a Unix geek, no worries for Mac users.
But wait, didn't I also say that both iOS (which runs iPhones and iPads) and the Android operating system (which powers many popular smartphones and tablets) are based upon Unix? True enough, but the vulnerable Bash software is not present on those mobile operating systems. Unless you have jailbroken or rooted your device, or installed Bash yourself, you are safe from the Shellshock bug.
But What About Other Gadgets?
Patches that close the Shellshock/Bash Bug vulnerability will likely be issued haphazardly by device makers over the next month or so. As far as I know, gaming consoles, Tivos, and Roku boxes are not affected. But I'd still advise enabling the “automatic updates” feature wherever it exists on your Internet-connected devices and anything “smart” that may be in your home.
The best information I've found says that "nearly all" internet routers are safe as well. Routers typically require manual checks for firmware updates, so make a note to do that regularly. Check with your ISP or visit the router manufacturer’s website to see if a firmware update is needed.
As for smart utility meters and appliances that run embedded unix, my understanding is that most of these devices run a Bash alternative called busybox, which is not vulnerable. Some older devices, such as security cameras, may be vulnerable to the Shellshock bug. But it may be nearly impossible to patch them. They are often designed without any means to update their operating systems, short of replacing the embedded hardware on which the OS resides.
If there's a silver lining to this story, it's that Shellshock is more difficult to exploit than Heartbleed. It’s not enough for the Bash software to exist on a device; it must be actively in use when an attacker strikes in order to be exploited. If a device has the Bash shell but doesn’t use it, it’s immune to Shellshock attacks.
The Bash/Shellshock bug has existed since 1992, but only since it was announced on September 24 have security researchers detected any attempts by hackers to exploit it. That doesn’t mean Shellshock hasn’t been exploited, but it appears that this bug’s existence was overlooked by snoops, hackers and men with black sunglasses for 22 years, too.
Bottom line, if you are a webmaster for a site that runs on some version of Unix or Linux, or a person who uses the command line on a Unix-based computer, you need to test your system and apply a patch. Otherwise, “keep calm and carry on.” Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 30 Sep 2014
|For Fun: Buy Bob a Snickers.|
Belkin WeMo Home Automation
The Top Twenty
Geekly Update - 01 October 2014
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Shellshock! Are You Vulnerable? (Posted: 30 Sep 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved