It often seems that hardly a day goes by without some internet security risk hitting the mainstream media and last month was no exception. September gave us a vulnerability that’s predicted to have even further reaching effects than the Heartbleed bug. What’s more, the vulnerability didn’t just affect Windows systems for a change, but Mac OS X, Linux and Unix systems.
In recent years, the use of Macs amongst consumers has risen dramatically, and on top of this many websites rely on Linux and Unix, so it’s certain something to be taken very seriously. In fact, according to Information Week, “it’s as serious as security bugs get.” It’s nothing new either, it’s thought that Shellshock has been around for about 22 years, with the earliest version of Bash affected being from 1994. It’s further thought that the vulnerability appeared on a Bash version from 1992 which introduced new features. The latest version, 4.3, also contains the exploit.
Bash? What’s That?
Bash is the standard command line interface that’s found on most Linux machines and the vulnerability that it contains is rated as being extremely simple to exploit. Since the news emerged about Shellshock, there have been plenty of incidences of hackers attempting to do just that, with the latest high profile target being Yahoo!.
What this means is that anyone who visits a website that’s hosted on a vulnerable server could potentially be affected. Whilst Bash is not native to Windows, there is a similar version for the platform known as Cygwin, which could also be vulnerable. Of course, the cybercriminal element is never slow to exploit these things and so it’s possible that the exploit could be used to spread malware.
What Can You Do to Protect Yourself?
If you’re running Mac OS X then ensure that you download and install any security OS updates as soon as they become available and that your security software is up-to-date. Using a URL scanner (often bundled with your antivirus software) to block access to potentially unsafe sites is also advisable. Currently, many vendors both large and small have applied patches, but if you do have a website then it’s a good idea to check with your hosting supplier that they have patched their servers.
You can also check for the vulnerability at Shellshocker, but this is only really recommended for the more advanced user.
Should I Worry?
As long as you do everything as suggested above to protect yourself, there’s no real reason to worry about Shellshock at this stage. You should of course change your passwords, especially if you use the same one for more than one online login. Ideally, you should use a password manager such as Last Pass to generate and store complex passwords so that you’re more fully protected.
The biggest worry surrounding Shellshock is how it will be used by cybercriminals looking to make some money out of it. There’s already evidence to suggest that the exploit is being used to spread Mac OS malware known as Kaiten, which is in turn is used to perform “devastating” DDoS (distributed denial of service) attacks on organisations. However, Apple has already issued security updates to address the vulnerability, so patched systems should be safe.
Apple does warn however that users who have configured their machines to use the Advanced Unix Services remain affected by the vulnerability. This is commonly configured on machines that access other machines such as intranet and web servers remotely.
So in order to ensure that you’re fully protected, you should carry out the following steps.
- If using Mac OS X, ensure that all security updates are applied
- Install reputable antivirus software such as Kaspersky
- If you have a personal blog or website then check that the server is patched with your web hosting company
- Change all online passwords using a generator and store in a password manager
For web professionals/IT administrators:
- If you’ve configured your Mac to use Advanced Unix Services, then disable this and patch the system
- Check your servers for the vulnerability using the Shellshocker link above
- Patch systems where appropriate
It’s important that you carry out these checks to ensure that you don’t become affected by malware or have systems accessed by hackers.
The Threat Landscape
In general we’re not particularly winning the war against cybercrime, which is now a multi-billion pound worldwide industry. For the most part, this is often due to a lack of education and awareness at end user level. Email phishing has become increasingly sophisticated and as such, is still an effective means to get people to click through on dodgy links. However, the widespread use of social media is also responsible as people tend to fall for the copious amount of scams that supposedly offer free gifts, vouchers and more.
Many users don’t understand the importance of anti-malware software and why it’s necessary to keep it up-to-date. This could be said to be especially true of Macs, as for many years it was argued that they are not capable of getting a virus or other malware. This was disproved with the 2012 Flashback botnet which affected around 600,000 Macs worldwide.
More recently, a new threat has emerged with regard to Mac which is known as iWorm which disguises itself as an application known as ‘com.JavaW’. On an infected machine, the malware runs automatically and awaits instructions from its C&C server. It’s thought that there’s currently around 18,000 infected machines and that threats to the Mac OS X in general add up to around 40 in total.
So contrary to popular belief, if you run a Mac, then you absolutely do need antivirus software.
It’s also advisable to never click through on email links or open attachments that are unsolicited – there’s a huge amount out there at the moment that attach ‘invoices’ for example. These are generally presented in a zip file, and it’s quite common to get bogus ones from purported government sites, so it pays to take care.
When it comes to social media, the idea that ‘if it seems too good to be true, it probably is’ holds true.
Shellshock is a concern for many users and site owners alike, but if you take steps to prevent the bug being exploited as detailed above, then you should avoid any nasty consequences.