Shellshock-bash-header-664x374

If 2013 was the year of the mega breach, 2014 may be the year of the giga breach.

Last week Mike Walls posted a blog explaining the Bash/Shell Shock vulnerability built into Unix-based systems. Media reports said that ShellShock is potentially more damaging than Heartbleed, the serious flaw in widely used Open SSL cryptographic software, because where Heartbleed invades a server and spies on network activity, Shell Shock allows hackers to remotely take complete control of any system using Bash.

An estimated 500,000 machines worldwide are said to be vulnerable to Heartbleed, compared to 500 million machines potentially hit by Shell Shock, including Apache servers and broadband routers all over the globe.

On Friday Oracle warned that more than thirty of its products are susceptible to exploitation via Bash, including its high performance Exdata database storage appliance, often used by cloud storage providers. Oracle said that it is only able to fix two of its products at this time: Oracle Linux and Solaris operating systems.

Over the weekend, the Federal Financial Institutions Examinations Council advised U.S. banks to immediately identify their systems using Bash, update software, and contact all third-parties in their business chain to cooperatively mitigate damage. The FFIEC, an interagency body which prescribes common standards for banks and financial institutions including the Federal Reserve, the FDIC, and others, said: “The pervasive use of Bash and the potential for this vulnerability to be automated presents a material risk.”

Michael Walls’detailed recommendations for vulnerability testing and patching can be found here. 

EdgeWave EPIC engineers and analysts monitor web and email threats around the clock, and build security solutions in immediate response to vulnerabilities in all platforms, including Linux based systems. Visit EdgeWave.com to learn more.

Read more about Heartbleed

US-CERT Recommendations