This awkward discovery affects millions of devices, computers, and servers. It was rated with level 10 severity by the National Vulnerability Database. Just how alarmed should consumers and organizations be? Well, the last major vulnerability of this scale was Heartbleed, and it only received a 5 rating. Companies are encouraged to patch any systems that utilize the bash command shell, which is the focal point of the newest vulnerability.
If you’re not a programmer, it can be difficult to truly understand why the Shellshock vulnerability is so dangerous. Luckily, YouTube personality Tom Scott has uploaded a video that explains the vulnerability in its simplest terms. In his video, “The Shellshock Bug In About Four Minutes,” Scott describes how a simple alteration to a command’s syntax can allow attackers to send virtually any request to a computer. This means that someone could potentially install malware remotely, display messages, delete files, or conduct a variety of activities on a machine without permission.
Sadly, Shellshock isn’t a bug that you can just wipe from a computer. It is a vulnerability that is built into Unix-based systems, including Apple computers. This bash shell issue has actually gone undetected for 25 years. This vulnerability, along with Heartbleed, demonstrates what can go wrong when we rely on open-source programming to serve as the backbone to modern day products and services. The bash shell was also developed within an open source project, generally comprised of volunteer programmers. Most of these codes aren’t tested against the current deluge of modern day threats before they are incorporated into new technologies.
Unfortunately, the Shellshock exploits have already started. Security firms such as AlienVault have revealed that they have measured a number of attacks targeting the company’s “honeypots.” These are computers that security companies deliberately make vulnerable, so that they can measure the severity and rates of attacks. AlienVault describes the types of malware attackers have been using once they discover a vulnerable system. The malware pulls information up about a computer’s profile, and then it feeds systems with common passwords (like “admin” or “12345”) in order to force its way into other systems.
So how can you stay safe from a vulnerability that affects millions? Well, you can protect yourself against malware by performing regular antivirus checks and by rotating your passwords on a regular basis. You can also keep an eye out for all system updates, which will likely contain patches for vulnerable technologies. Companies are trying to outpace the risk by releasing patches through system or software updates. So don’t keep hitting that “later” button — get your technology updated now.
Since the vulnerability could also affect the Internet of Things (IoT), then you’ll also want to install updates that become available for peripheral accessories that also connect to the Internet. These include home automation devices, routers, health technologies, and many other tools with online access. It is likely that developers will release patches for these accessories very soon. Protect your personal and private data by running updates and leveraging strong passcodes on all of your technology.