Companies ‘Patching Like Crazy’ to Stem Shellshock Flaw - The Wall Street Journal

The Wall Street Journal, By Steven Norton

The Shellshock bug likely poses a more critical threat than Heartbleed did earlier this year, analysts say. As companies scramble to assess their systems’ vulnerability and apply the appropriate patches, it may also be a time for CIOs to take stock of their security posture and prepare their systems for the next inevitable bug.

Also called the “Bash bug”, Shellshock affects a commonly used, decades-old piece of open source command prompt software called Bash. It is widely used on a number of Unix-based and Linux-based computers, as well as Mac OS X, and runs on up to 50% of all Web servers. It also extends to Android devices and some embedded technology that makes up the Internet of Things. From a CIO-perspective, these devices could be more difficult to address.

Companies including Google Inc. and Amazon.com Inc. raced to patch their own systems, the Journal’s Danny Yadron notes, and a slew of security companies published blog posts about how to respond to the vulnerability. The Journal notes that unlike with Heartbleed, which prompted 40% of Americans to change their passwords, there’s not much the everyday consumer can do.

If exploited, the bug could allow an attacker to run any command on a vulnerable machine. A hacker exploiting a vulnerable website, for example, could download and install malware, delete files or obtain administrative access privileges. The bug was discovered by researcher Stephane Chazelas and made public Wednesday.

“This is certainly one of the worst, if not the worst, vulnerabilities that’s been discovered this year,” said Roel Schouwenberg, a security researcher at Kaspersky Lab. “We most definitely haven’t seen the end of all the different implications.” Read more.