Blog

We are passionate about the work we do, which is why we regularly research and update our blog with original content to keep you updated with industry news.

Shellshock - Vulnerability in Bash

Date Friday, 26 September 2014 Marc Whittingham , In: Technical

As you may have heard from mainstream media sources, the UK Cyber defence team “UK-CERT” yesterday issued an alert for a vulnerability in BASH. BASH is a component of Linux and other *NIX operating systems that provides users and administrators with command-line access to their machines. According to the reports a French researcher discovered an easily exploitable flaw in this component that could allow malicious individuals to take control of vulnerable machines and, apparently, this flaw is incredibly easy to exploit.

The flaw has been given the moniker ‘shellshock’ and is another in a line of serious vulnerabilities after the recent Heartbleed bug was made public some time ago. While Shellshock is easy to exploit and BASH is incredibly widely used on all sorts of machines from mobile phones to web servers, and Apple computers, there has been no evidence to suggest that it has been exploited in the wild and so has apparently remained unknown until the recent discovery.

We have patched all of our servers and our customers’ servers to mitigate this risk and will continue to monitor the situation as, according to CERT-UK, the hastily composed patch to fix the Shellshock problem has opened another less serious vulnerability in BASH and developers are working to create a new patch to supersede the old one.

John Le Carre’s fictional protagonist George Smiley observed that “It's so easy, to get hypnotised by technique”, and what this and Heartbleed go to show that there is no such thing as absolute security, irrespective of what precautions and technologies we implement to protect ourselves, a failure to be vigilant and react appropriately makes it all count for nothing. Proper security is about a constant incremental process of vigilance, testing, monitoring, reacting and revising. Furthermore, this is another salutary lesson that security is everyone’s responsibility; while not everyone is a security researcher or programmer, we are all capable of being vigilant and responsible in responding to threats as they emerge, be that spam, viruses or coding vulnerabilities, we all have a role to play in defending ourselves against the mass of ever evolving digital threats.

For those interested further information can be found here : www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock with a more prosaic explanation here: www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Marc Whittingham

Marc Whittingham

Technical Director

Our Technical Director, Marc, has been working at Blue Frontier since 2007 and is a major asset to our team. Recognised for his skill and hard work, Marc joined the board of directors in 2016. In addition to his role as Technical Director, he also holds the positions of Data Protection Officer, Quality Assurance Manager and Security Manager.

  • Blue Frontier are accredited with Cyber Essentials Plus
  • Blue Frontier are a Silver Microsoft Partner
  • Blue Frontier is a Google Partner
  • Blue Frontier is a G-Cloud Supplier
  • ISO 27001 ISO 27001
  • ISO 9001 ISO 9001
  • ISO 13485 ISO 13485
  • ISO 14001 ISO 14001