Several months after the Heartbleed OpenSSL flaw made news as one of the most serious Internet security breaches ever, the open source community once again scrambled to patch another major security bug – Shellshock. Today Shellshock continues to be used by hackers to exploit vulnerabilities.
I’m anything but shocked. I see Shellshock as a failure in the mindset of the open source community, where everyone waits for someone else to find and patch security vulnerabilities.
Open Source Platforms Are Now a Target for Hackers
One of the interesting effects of all the bashing that closed source projects like Microsoft have incurred over the years has been the embrace of more open software like Linux and OSX – and the subsequent attention that these systems have gained from would be attackers. It has shone a light on one of the biggest lies perpetrated in IT: we are not vulnerable because we don’t use Microsoft. Well, with Heartbleed and now Shellshock, the proof is here and it’s time for Linux and OSX and UNIX to take some heat.
What’s scary is that this flaw has been around for some time, and the first round of patches for Shellshock have not fixed the problems of unauthenticated scripts gaining privileged access to data and services. Given the nature of the patch and the wide variety of servers it affects – especially web servers – I expect we will continue to see more rounds of data theft and public shaming.
Many home devices – including cable boxes, routers, NAS devices, and of course, enterprise and internet connected devices and services, – make use of Linux/UNIX running a bash shell. This is not an insignificant security vulnerability.
Shellshock Vulnerability – Password Updates are Key
Just as with Heartbleed, users need to stay on top of their vendors, credit card agencies and others to ensure that the problem gets fixed. And once it’s fixed, users need to change their passwords. If they don’t, every time they make a transaction on an affected web site, or a business or government agency puts the user’s data through those web servers, their data is at risk.
The products at the company where I work, Lieberman Software, are unaffected by Shellshock. Our products run exclusively on Microsoft Windows, so our customers’ deployments benefit from the documented and vetted security standards and regular security and patching cycles of those platforms. However, many software vendors’ products are based on open source software, so users need to be aware of these potential vulnerabilities. Of course, such proactive IT security diligence is a wise course of action at any time.