Shellshock: The Patching Dilemma
Akamai's Smith Sees Patching Perils, Lingering Flaws UnfixedDevelopers and security researchers are still scrambling to contain Shellshock a week after news of the flaws became public.
Shellshock refers to multiple security vulnerabilities that have been found in Bash - referring to the Bourne-again shell system software - which is the command-line shell used in most Unix-based operating systems, including Linux and Apple Mac OS X. Bash runs on more than half a billion devices, ranging from Web servers and e-mail servers to common devices such as routers.
Since Linux vendor Red Hat first sounded the warning that flaws in Bash could, in some cases, be remotely exploited to seize control of systems, developers and security researchers throughout the world have been burning the candle at both ends to push patches - or at least temporary fixes - that mitigate Shellshock.
But Michael Smith, director for Akamai's Customer Security Incident Response Team, says not all vendors' Shellshock patches and fixes are working as advertised. Some fail to patch all Bash-related flaws that have been discovered to date - at last count, there were six separate flaws. Other fixes create new problems, for example by breaking scripts that rely on Bash's export ability.
Meanwhile, it's up to IT professionals to try to keep track of not just the patches, but what's working, and what's not working. "Things get very complicated very quickly," Smith says during this first part of a two-part interview with Information Security Media Group.
List of Vulnerabilities Grows
Akamai on Sept. 27 released a blog detailing some of the newly identified vulnerabilities in Bash that could be exploited. Since then, however, the list of known vulnerabilities has grown, Smith warns.
"There has been a lot of effort in the last week to scan for these things," he says. And those scans continue to turn up new flaws, some of which are now being exploited in the wild. Indeed, cybercriminals have already incorporated exploits for the Bash flaws into their malware and distributed denial-of-service attacks.
To defend against Shellshock-targeting attacks, Smith recommends IT administrators focus first on scanning servers - especially e-mail servers - for Bash, and not focus too much attention on Web applications.
"Most websites today don't use Bash," he says. "It's really just a matter of patching on a per-server basis. ... Let's just find all of the servers that have Bash and make sure you are addressing Bash there."
During this interview, Smith also discusses:
- The link between Bash and common gateway interface scripts, better known as GGI applications;
- How Bash vulnerabilities are being catalogued and why the list of vulnerabilities is growing;
- How researchers are testing vulnerabilities that impact all industries.
In part 2 of this interview, coming soon, Smith details some of the many attacks against Bash that have been identified in the wild and reviews new patches that aim to safeguard systems against those attacks.
At Akamai, Smith leads a team of Web security incident responders and researchers that study Web attackers' tactics and techniques, then apply that knowledge to protect businesses from such events as site defacements, data breaches and DDoS attacks. Previously, Smith served as Akamai's security evangelist and as the customer-facing ambassador for its information security team.