Blog

We are passionate about the work we do, which is why we regularly research and update our blog with original content to keep you updated with industry news.

Shellshock - Vulnerability in Bash

Date Friday, 26 September 2014 , By: Marc Whittingham , In: Technical

As you may have heard from mainstream media sources, the UK Cyber defence team “UK-CERT” yesterday issued an alert for a vulnerability in BASH. BASH is a component of Linux and other *NIX operating systems that provides users and administrators with command-line access to their machines. According to the reports a French researcher discovered an easily exploitable flaw in this component that could allow malicious individuals to take control of vulnerable machines and, apparently, this flaw is incredibly easy to exploit.

The flaw has been given the moniker ‘shellshock’ and is another in a line of serious vulnerabilities after the recent Heartbleed bug was made public some time ago. While Shellshock is easy to exploit and BASH is incredibly widely used on all sorts of machines from mobile phones to web servers, and Apple computers, there has been no evidence to suggest that it has been exploited in the wild and so has apparently remained unknown until the recent discovery.

We have patched all of our servers and our customers’ servers to mitigate this risk and will continue to monitor the situation as, according to CERT-UK, the hastily composed patch to fix the Shellshock problem has opened another less serious vulnerability in BASH and developers are working to create a new patch to supersede the old one.

John Le Carre’s fictional protagonist George Smiley observed that “It's so easy, to get hypnotised by technique”, and what this and Heartbleed go to show that there is no such thing as absolute security, irrespective of what precautions and technologies we implement to protect ourselves, a failure to be vigilant and react appropriately makes it all count for nothing. Proper security is about a constant incremental process of vigilance, testing, monitoring, reacting and revising. Furthermore, this is another salutary lesson that security is everyone’s responsibility; while not everyone is a security researcher or programmer, we are all capable of being vigilant and responsible in responding to threats as they emerge, be that spam, viruses or coding vulnerabilities, we all have a role to play in defending ourselves against the mass of ever evolving digital threats.

For those interested further information can be found here : www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock with a more prosaic explanation here: www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Marc Whittingham

By: Marc Whittingham

Marc joined Blue Frontier in 2007 and was welcomed to the board of directors in 2016. With industry experience dating back to 2003, he heads up the technical support team with a strong focus on service. As our lead networking and virtualisation engineer, Marc provides the invaluable link between clients and technicians. His incredible versatility is evidenced by his further roles as: Information Security Manager, Data Protection Officer and Quality Assurance Manager.