Shellshock Bash Bug – What is it?

Shellshock. It’s what the latest and greatest computer bug is being called. It’s a bug in the Bash shell – that impacts all UNIX-based systems, including Linux and Mac OS X. It also includes devices like WiFi routers and devices that have UNIX code and Bash installed. And it’s big. Bigger than the Heartbleed bug that shocked the world just a few short months ago. The bug was discovered by the security team at Red Hat (a developer of Linux software).

Why is it such a threat? The Bash bug is more dangerous than Heartbleed because it involves ‘remote control.’ While Heartbleed involved siphoning data from a computer (scary, indeed!), it was not able to initiate any programs on the computer. Shellshock, on the other hand, involves exploitation from external sources including the initiation of operations on that computer. Because servers are involved, there is a much larger risk involved.

As of this writing, Red Hat has released patches for the bug. The bug also affects Apple OS X. While Apple has not yet released a pack, StackExchange has posted a way for Mac users to check to see if they are affected.

Is Sticky Password Affected?

Shellshock does not affect Sticky Password customers. Sticky Password is not vulnerable to Shellshock (the Bash Bug). Sticky Password is designed for desktop computers (and smart phones and tablets) – not servers! In general, if there is any risk for external access to a desktop (and thereby being exploited externally) it is very limited. In addition, the Sticky Password application does not run on Linux or OS X. For these reasons, Sticky Password users are not impacted by Shellshock.

Our servers have not been exploited. We do not use potentially vulnerable techniques based on Bash on the Sticky Password cloud and web services. Of course, we are taking a proactive approach by deploying the patches as they are made available for all pertinent servers. We continue to monitor the situation with our partners.

While Shellshock and Heartbleed aren’t related in terms of technology, they do have something in common. Both are bugs that were discovered only years(!) after they were widely deployed. Finding bugs is by definition an after-the-fact sort of thing, but might this be an indication of a trend in security threats? Public discovery and revelation of bugs, years after they are omnipresent!? That speaks to the almost impossible task of testing every aspect of software, rather than a programmer trying to include the malicious code by stealthy means.

What to do now?

When it comes to your own security, the first step is to stay informed. You don’t need to be an IT expert to change your password, make sure you have good security software tools on your computer, and keep your software up-to-date. Paying attention to these threats will also help keep you from panicking unnecessarily when a threat doesn’t affect you.

Additional news about Shellshock: