More than a month after the Shellshock bug was uncovered, revealing a vulnerability in the Bourne Again Shell (or Bash), security researchers are still releasing warnings.
The most recent one confirms wide use of the bug to build botnets of vulnerable systems, while another warns of new attacks against SMTP email servers.
Bash is a Unix command interpreter, or shell, which is enormously popular and is the default in most Linux distributions and Mac OS X. It is equivalent to "cmd" on Windows-based systems.
While a robust patch is now available, its roll-out has been lengthy and has left systems exposed to attacks. It is important that organisations take steps to assess their exposure and ensure all systems are secured.
The first step is to identify all relevant systems for patching. Systems running Linux and Mac OS X are obvious, but all Unix-based servers and systems with Cygwin and other suites providing Unix-like environments must be included.
Bash may not be the default shell on all these systems, but it is important to know where it is present. Scanning tools can help identify installation of Bash in embedded systems such as routers or network cameras.
READ MORE ON SHELLSHOCK from the Computer Weekly Security think tank
Second, roll out patches provided by Unix-based systems. The source code of Bash and the patch are publicly available and can be recompiled on vulnerable systems. Embedded systems for which no patch or new firmware is available need to be isolated from the network and manufacturers contacted for assistance.
Finally, Shellshock and Heartbleed are forcing organisations to assume they have been breached and to respond accordingly.
Because of the time between bug disclosure and patching, vulnerable systems may have been modified in ways the patching will not correct. For this reason, organisations need to monitor systems for unusual activities and verify their ability to respond.
Mathieu Cousin is a senior research analyst with the Information Security Forum (ISF).
This was first published in November 2014
