Security Think Tank: Patch Shellshock vulnerability without delay

What steps should businesses take to assess their vulnerability to the Shellshock Bash bug and patch vulnerable systems?

So far, 2014 has been an interesting year as far as major vulnerabilities are concerned, with OpenSSL and Heartbleed announced in April, but that vulnerability did not affect websites built on a Microsoft-only foundation. 

A vulnerability in the Xen open-source virtualisation software came to light in early October, but hard on Xen’s heels came the Bourne-Again Shell (Bash) – or Shellshock – vulnerability, followed a few days later by the Microsoft Office Sandworm and the SSLv3 Poodle vulnerabilities.

Looking at Shellshock, how bad is it? Bash is a commonly used command line shell for Linux/Unix operating systems and derivatives. This includes not only Linux and Unix servers, but also Linux/Unix-based clients, the Apple Mac operating system (OS) and devices with embedded Linux/Unix-based OSs, such as routers and domestic appliances. 

So the potential number devices that could be attacked is worryingly large, but not all Linux/Unix systems run the Bash shell, “Ash” and “fish” being two alternatives.

The vulnerability allows a range of attacks to be executed relatively simply over the internet against systems with the Bash shell such that extra commands can be added to the Bash code of an attacked system. In turn, these additional commands enable an attacker to run scripts which could lead to the attacker gaining control of the system.

So what can an individual or an organisation do? In terms of a system (or server), it is a question of obtaining the latest Bash package for the Linux distribution in use and prioritising the patching process to target internet-facing devices before moving on to patch other systems. Do not forget change control and documentation. 

As an alternative, particularly where a system has been custom built, obtain the latest Bash code from and manually compile it into the device/server code.

For other systems, such as routers and switches, the advice is to check the various manufacturer’s sites and where an update is available, download and install it, as generally these devices do not automatically update. 

For televisions and set-top boxes, these typically update automatically “over the air”, but be aware that some satellite receivers do require manually updating, typically those that are not Sky or Freesat boxes.

It goes without saying that this Bash vulnerability is a major one and devices/systems should be patched without delay.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Hackers and cybercrime prevention