To mitigate the risk of the newly discovered Bash bug - also known as Shellshock - which potentially makes millions of systems vulnerable to remote takeovers, organizations need to take several key steps, says security expert Alan Woodward.
Taking immediately action is essential, because the flaw in Bash could allow attackers to execute shell commands remotely, which would allow them to take control of a system, dump all data stored on the system, as well as launch automated worms that could use the vulnerability to exploit every Bash-using system inside a network. Everything from Unix, Linux and Apple systems, to servers, routers and network-attached storage devices are potentially at risk.
In this interview with Information Security Media Group, Woodward, who's a visiting professor at the department of computing at England's University of Surrey, as well as a Europol advisor, recommends all organizations:
- Upgrade all Unix-related software to versions that patch the Bash flaw, or else employ temporary workarounds;
- Disable remote log-in on all Mac OS X systems, until Apple patches the vulnerability;
- Comb the enterprise for every device that runs - or relies on an embedded version of - Unix or Linux, including routers and disk drives, to see if they're susceptible to Bash, and update their software or firmware accordingly.
"Anything with any sort of Unix provenance tends to have Bash," Woodward warns. Notably, half of the world's Web servers run Linux-based Apache, which means more than 500 million Web servers alone are potentially vulnerable to the Bash bug.
To date, however, it's not clear if the flaw in Bash exists in every version of the utility released since 1989, although that's a strong possibility. Many vendors are already scrambling to test their applications and devices and release software and firmware upgrades that include a patch for the flaw. "The safest thing is just to assume that if you're running something that runs Bash, then you need to upgrade," Woodward says. "I suspect the hackers are going to find this very, very attractive."
But while the world waits for updates, Woodward highlights some related complications, including:
- Why updates may never get released for millions of devices that contain the Bash vulnerability, including many routers and webcams;
- The "force multiplier effect" created by a very simple - yet incredibly prolific - flaw;
- How the Bash bug previews the challenges facing businesses and consumers as Web-enabled Internet of Things devices continue to evolve.
Woodward is a visiting professor at the department of computing at England's University of Surrey, a cybersecurity advisor to Europol's European Cybercrime Center, as well non-executive director at TeenTech, which encourages teenagers to pursue careers in the fields of science, engineering and technology.