Security researchers have discovered a new software bug known as the “Bash Bug” or “Shellshock,” or to those more technically “in-the-know” as GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271)(link is external). This bug, more correctly termed, ‘vulnerability’, potentially allows attackers to gain control over targeted computers.
The bug is present in a piece of computer software called, Bash, that is typically found on computers running an operating system called Linux or Unix, of which there are many variations. Generally this operating system is used to power server computers, such as the ones that many of the world’s websites run on. Also impacted are all Apple Mac computers that run Apple’s operating system, OSX. Computers running Microsoft Windows are not impacted by this vulnerability directly, but could be at risk if web servers are compromised.
There are three likely targets:
Bash is a piece of software that is used to translate commands that a user types into actions that a computer can understand. In the early days of computing it was more common for users to directly enter commands; today, point and click user interfaces hide all of this. However, many websites use scripts that contain a collection of such commands to automate interaction with the underlying computer. On a Unix or Linux computer, if you have ever typed commands into a window that has a prompt that looks like this, then you are likely talking to Bash.
The Bash bug allows an attacker to bypass regular security controls to insert additional unauthorized commands; which could, in turn, allow the attacker to steal data or gain control over the web server computer or other device.
So far, there is no significant evidence that shows that this bug has been exploited in the wild. However, now that researchers have brought this vulnerability to light, cyber criminals may see this as their chance to take advantage of it. Now it’s up to software companies to quickly create and implement patches and updates, before hackers can reap their unscrupulous rewards.
We believe Web servers are the likely main targets for attack and it is likely that website owners are working quickly to patch their computers to guard against attack. Unfortunately, there is no easy way to tell which websites may have been attacked so as a general precautionary measure we recommend keeping an eye out for suspicious activity on the accounts you keep online, and periodically changing important passwords, like those to your email accounts, financial accounts and social networks.
Business owners that have professional websites should apply any available patches immediately.
If you’re a Windows user, your personal device is not vulnerable to this bug. Still, if a web server that runs on Linux has been compromised, and it holds your personal information, you may still be affected. If your personal device or computer runs on Linux or Unix (Mac OS), you may be susceptible, particularly if you are running an un-patched version of Linux or Mac OS.
While the vast majority of the responsibility of thwarting cyber criminals from exploiting this bug lies on software companies and website owners, however, it is extremely important to make sure that all of your software remains up-to-date, as it often can contain security patches that will help keep your data secure.
Here are a few things that consumers can do to stay protected:
Remember Microsoft Windows computers are not susceptible to attack using this vulnerability.