The security world is buzzing with news regarding the “Bash Bug”, also known as Shellshock,  a vulnerability discovered in one of the most fundamental interfaces powering the internet that is already being described as being ‘bigger than Heartbleed’.

shellshock_Linux_check

What does Shellshock do?
The flaw (officially CVE-2014-6271) has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s OSX operating system. The vulnerability allows an attacker to execute code on a device that has the vulnerable version of bash installed. To be specific, in order to exploit this vulnerability remotely the device has to have a network service which incorporates bash as part of it’s regular operations. (i.e. cgi, dhcp client, ssh).

The threat actor can exploit this to either install malware on the device or enable them to bypass regular security controls and insert additional unauthorized commands that could enable the extraction of confidential user data or even to gain control over the web server or device.

More info can be found here – http://seclists.org/oss-sec/2014/q3/650

Why is this significant from a Mobile Perspective?
There is a potential mobile aspect to Shellshock. Neither Android nor iOS devices that have just left ”the box” include any Bash shells, making them immune to the problem. However, once a device has been either rooted and/or had a custom ROM installed (Android) or jailbroken (iOS) – there is every chance that a Bash shell has been installed making the device just as vulnerable as a desktop Mac or Web Server.

It’s hard to say just how many jailbroken and rooted devices there are out there. Research shows that the two newest iOS jailbreaks were downloaded around 5 million times, while just one of the most popular Android rooting kits has just over 1 million downloads.

What can I do?
As a best practice, rooted or jailbroken devices should not be allowed to be used in the organization. If they are already part of the organization the device should be tested for vulnerable bash versions and patched if they exist.

Also, though not necessarily just a mobile issue, we’d also recommend:

  • Keeping an eye on all accounts on which you store secure personal and/or company information for signs of unusual activity that could indicate the account has been compromised.
  • Apply patches to routers, or any other web-enabled devices in your home or office, as soon as they become available.


image credit: itsfoss