This content is part of the Essential Guide: Managing information security amid new threats: A guide for CIOs
News Stay informed about the latest enterprise technology news and product updates.

Bash shell bug puts enterprises in more peril than Heartbleed

Enterprises beware of the Bash shell bug -- experts are calling it the most dangerous security flaw of the decade. Also in Searchlight: restaurant chain Jimmy John's falls prey to a data breach; Apple sells 10 million new iPhones and counting.

Is your enterprise still reeling from the Heartbleed flaw? Hang on to your seats, because there's now a bug many security experts are deeming a bigger deal than the OpenSSL vulnerability.

U.K.-based Unix and Linux expert Stéphane Chazelas yesterday discovered a major bug in the Unix-like Bourne Again Shell software, also known as Bash, one of the most widely used command processors in the Linux and Mac OS X operating systems.

Just how bad is it? Other than the fact that it's also being called Shellshock, the Bash shell vulnerability has actually been lurking in your enterprise's Linux software for more than 20 years and can be found in every version of the shell up to 4.3. It's so bad that US-CERT's National Vulnerability Database gave the flaw a 10.0 rating -- the most severe, based on the common vulnerability scoring system.

That rating is no joke: Because Bash is not only an extensively used utility, but also very versatile, a hacker that accesses the Bash shell bug properly can exploit it in various ways to take complete control of any targeted system. It's also easy to exploit because the bug can be remotely activated without authentication.

This all sounds pretty petrifying (and the scary superlatives being thrown around aren't helping), so let's get to the practical stuff. What can enterprise CIOs do stat to curb Shellshock's impact, particularly considering that enterprises' servers are predominantly based on Unix?

It might be a relief to know that your primary servers and known systems such as Web servers are likely not vulnerable to the bug, according to Errata Security's Robert Graham. However, many experts are still urging to test and patch away, particularly older machines and unknown systems. Currently, patches are available from Linux variants CentOS, Debian and Ubuntu, as well as Red Hat; no word from Apple yet on an official OS X patch, but there is a Stack Exchange post that outlines how users can scan and update their systems. A US-CERT advisory also recommends a GNU Bash patch for experienced users and admins.

Additionally, users uncertain whether a particular system is vulnerable to the bug can test it with the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The output vulnerable… this is a test indicates that a flawed version of Bash is present in the system.

These tips come with a caveat. Security experts such as Graham and Berkeley ICSI researcher Nicholas Weaver warn that, especially for large enterprises, it will take a huge amount of time to test and patch systems, and even so, not all vulnerable systems will be patched at all -- which means that just like the Heartbleed bug, the "subtle, ugly" Shellshock will remain in our systems for years, Weaver told The Verge.

Along with sound and detailed advice, Graham used even blunter words in Errata's blog to describe the bug's impact:

"Anything that responds [to scans] is probably an old device needing a Bash patch. And, since most of them can't be patched, you are likely screwed."

On that bright note, get patching!

CIO news roundup for week of Sept. 22

Just because it's almost the end of September doesn't mean the news has slowed down -- here's more from the week:

  • Alas, the Bash shell flaw wasn't the only security-related item being buzzed about this week. Restaurant chain Jimmy John's announced Wednesday that a hacker stole customer data, including payment card numbers, from the company's vendor and used it to breach 216 of its locations.
  • Apple's new iPhones are doing pretty well for themselves. The company sold more than 10 million of the devices last weekend -- the biggest opening weekend in iPhone history. But the hype isn't all positive: It looks like the Plus model is suffering from the case of the bends.
  • Speaking of, did you break your iPhone case recently? You could either buy a new one, or ... head to the nearest UPS store. The shipping company announced plans earlier this week to roll out 3-D printing services to nearly 100 locations nationwide; a printed iPhone case, FYI, runs for around $60.
  • Remember BlackBerry, the phone maker whose device sales were almost obliterated by the advent of touchscreen smartphones? Well, the company is now completely revamped, and with the rollout of its BlackBerry Passport, it just might make a comeback. Before you laugh at the new phone's … squareness, read on.
  • Another use case for smartwatches: a means to communicate with your deaf Lyft driver. The ride service company confirmed its trend of hiring more hearing-impaired drivers, thanks to the I See What You Say app.

Check out our previous Searchlight roundups on how Apple's privacy policy puts consumers first and the challenge the iPhone 6 and Apple Watch pose to CIOs.

Next Steps

Get deeper into the details of the Bash bug on SearchSecurity. Then, read SearchCIO's coverage of a different flaw, the XSS vulnerability. Finally, check out our CIO guide on crafting an enterprise risk management strategy.

Dig Deeper on Enterprise data privacy management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How is your company debugging Bash from your systems? Or is Bash too widespread to fix at your company?