InsightaaS: We usually try to save up security-related items for Fridays, but the recent publicity around Shellshock – plus the clarity of today’s featured post – prompted us to rearrange this week’s ATN rotation. “Bash ‘Shellshock’ vulnerability — what you need to know” was posted on Naked Security, a news/blog site hosted by security vendor Sophos, by Paul Ducklin, a senior Sophos technologist based in Sydney, Australia. In the post, Ducklin uses a clear, logical structure to explain Shellshock to “the reader” – and it’s a tribute to Ducklin that this reader could be anyone from an IT security professional to a business manager looking to understand the nature and implications of the threat. Ducklin follows “what is Shellshock?” with a background explanation of “what is a command shell?” and then walks through five related questions, with examples where they are helpful, to drill down into Shellshock: how it works, why it eludes conventional systems designed to protect against threats, and if there is an update to BASH, the shell in question, that will fix the problem (spoiler alert! “a reliable and complete patch for Bash is not yet ready,” as of Sept 25). He closes by explaining Sophos’s perspective: “As far as we are aware, none of Sophos’s Linux or UNIX products use Bash in a way that would allow this vulnerability to be exploited with data supplied by an attacker from outside,” adding that “Nevertheless, we intend to update any Sophos-supplied versions of Bash once a reliable and complete patch is ready and tested.” This type of sponsored reportage – where firms help users to understand an important issue in the industry, and articulate where/how their own products are (or aren’t) affected, is fast becoming the norm on the web, and in trade coverage in general. This piece shows that a commercial interest in the conclusion doesn’t mean that the core content will be of less value than ‘independent’ sources have traditionally provided.
What is “Shellshock”?
Shellshock is the media-friendly name for a security bug found in Bash, a command shell program commonly used on Linux and UNIX systems.
The bug is what’s known as a Remote Code Execution vulnerability, or RCE.
This means that someone who isn’t already logged on to your computer might be able to trick Bash into running a program that it wasn’t supposed to.
What’s a command shell?
A command shell is a program that helps you run other programs on Linux and UNIX, much like the Command Prompt on Windows.
Bash stands for “Bourne Again Shell” (a pun celebrating that it was derived from an earlier shell written by Stephen Bourne of Bell Labs).
You can use Bash interactively, typing in commands and immediately viewing the output, or as a tool to help you run a series of programs specified in a text file called a shell script…