As you may have heard from mainstream media sources, the UK Cyber defence team “UK-CERT” yesterday issued an alert for a vulnerability in BASH. BASH is a component of Linux and other *NIX operating systems that provides users and administrators with command-line access to their machines. According to the reports a French researcher discovered an easily exploitable flaw in this component that could allow malicious individuals to take control of vulnerable machines and, apparently, this flaw is incredibly easy to exploit.
The flaw has been given the moniker ‘shellshock’ and is another in a line of serious vulnerabilities after the recent Heartbleed bug was made public some time ago. While Shellshock is easy to exploit and BASH is incredibly widely used on all sorts of machines from mobile phones to web servers, and Apple computers, there has been no evidence to suggest that it has been exploited in the wild and so has apparently remained unknown until the recent discovery.
We have patched all of our servers and our customers’ servers to mitigate this risk and will continue to monitor the situation as, according to CERT-UK, the hastily composed patch to fix the Shellshock problem has opened another less serious vulnerability in BASH and developers are working to create a new patch to supersede the old one.
John Le Carre’s fictional protagonist George Smiley observed that “It's so easy, to get hypnotised by technique”, and what this and Heartbleed go to show that there is no such thing as absolute security, irrespective of what precautions and technologies we implement to protect ourselves, a failure to be vigilant and react appropriately makes it all count for nothing. Proper security is about a constant incremental process of vigilance, testing, monitoring, reacting and revising. Furthermore, this is another salutary lesson that security is everyone’s responsibility; while not everyone is a security researcher or programmer, we are all capable of being vigilant and responsible in responding to threats as they emerge, be that spam, viruses or coding vulnerabilities, we all have a role to play in defending ourselves against the mass of ever evolving digital threats.
For those interested further information can be found here : www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock with a more prosaic explanation here: www.troyhunt.com/2014/09/everything-you-need-to-know-about.html