There have been several atrocious security vulnerabilities announced in the last few months, with “Heartbleed” in web servers and Shellshock in shell command lines. There are too many questions in the air “Are Heartbleed and Shellshock really serious? Which one is more dangerous?” Few security skeptics may also treat these as ‘hypes’ and try to ignore by saying “So Shellshock is the newest vulnerability; the last time they said that, it was Heartbleed…how many times you’ll scare me?!”
So let us try to make a few points straight to our readers. You’re right to be skeptical, but don’t let that skepticism abstain you from keeping your data safe.
Heartbleed or Shellshock? – It’s like ‘Between The Devil & The Deep Blue Sea’!
Both the vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas. The vulnerabilities are in open-source code. Vendors love to use open source components for applications and devices, especially embedded ones because they’re cheap and legally unencumbered. But there’s a downside: many open source components, even widely used ones like OpenSSL, aren’t always maintained as carefully as they should be.
Heartbleed vulnerability was discovered by three researchers — Neel Mehta from Google and two others. What this vulnerability does is allow a malicious user to steal sensitive information such as private keys, passwords, etc. The vulnerability is present in a module of OpenSSL called TLS heartbeat extension which is used to generate heartbeat messages. Hence the name Heartbleed for this vulnerability. This heartbeat handshake is usually done during the negotiation time of the SSL protocol and much before https takes over, in case SSL is used under https. Thus, the vulnerability is not present in layer 7 but rather at layer 4.
Bash is the software used to control the command prompt on many Unix based computers. Hackers can exploit a bug in Bash to take complete control of a targeted system. Right from routers, to all kinds of other systems, shell scripts are used, and this vulnerability can play havoc. In fact, the bash shell is so ubiquitous that it may be impossible to know the full extent of this vulnerability. You may be vulnerable even if you are using the shell to connect to a remote system. The way out is to upgrade your shell to the latest version. Patched bash shells are now out from various vendors. The other workaround is to insert WAF signatures to block this vulnerability/exploit in case you are running a website.
In the case of Heartbleed, the best advice was to wait for your favorite sites to patch themselves, then change your passwords. For Shellshock, you should patch your Mac or Linux computer, and then hope that everyone else – especially system administrators and engineers -does the same. Plus, while researchers say they’ve seen the effects of both exploits in the wild, it’s not like people are losing their computers or flooding tech support hotlines with calls about broken computers – not the way we saw back in the early 2000s when viruses made the evening news.
When you hear about these types of vulnerabilities, they’re worth sitting up and paying attention to, especially if you work in IT, or are in a position to actually do something about it. And if you can patch your own computer, you should. It’s easy to get fatigued when it seems like every week there’s a new hack, more credit card numbers lost, and more passwords to reset, but things aren’t about to change soon, and those hacks deserve at least enough attention to make sure your bases are covered and your data is protected.
Mehul Shah, former Chief Strategy officer, Indusface