Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

Heartbleed or Shellshock – Which one is more danger?

Posted DateOctober 30, 2014
Posted Time 3   min Read

There have been several atrocious security vulnerabilities announced in the last few months, with “Heartbleed” in web servers and Shellshock in shell command lines. There are too many questions in the air “Are Heartbleed and Shellshock really serious? Which one is more dangerous?” Few security skeptics may also treat these as ‘hypes’ and try to ignore by saying “So Shellshock is the newest vulnerability; the last time they said that, it was Heartbleed…how many times you’ll scare me?!”

So let us try to make a few points straight to our readers. You’re right to be skeptical, but don’t let that skepticism abstain you from keeping your data safe.

Heartbleed or Shellshock? – It’s like ‘Between The Devil & The Deep Blue Sea’!

Both the vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  The vulnerabilities are in open-source code.  Vendors love to use open source components for applications and devices, especially embedded ones because they’re cheap and legally unencumbered.  But there’s a downside: many open source components, even widely used ones like OpenSSL, aren’t always maintained as carefully as they should be.

Heartbleed vulnerability was discovered by three researchers — Neel Mehta from Google and two others. What this vulnerability does is allow a malicious user to steal sensitive information such as private keys, passwords, etc. The vulnerability is present in a module of OpenSSL called TLS heartbeat extension which is used to generate heartbeat messages. Hence the name Heartbleed for this vulnerability. This heartbeat handshake is usually done during the negotiation time of the SSL protocol and much before https takes over, in case SSL is used under https. Thus, the vulnerability is not present in layer 7 but rather at layer 4.

Bash is the software used to control the command prompt on many Unix based computers. Hackers can exploit a bug in Bash to take complete control of a targeted system. Right from routers, to all kinds of other systems, shell scripts are used, and this vulnerability can play havoc. In fact, the bash shell is so ubiquitous that it may be impossible to know the full extent of this vulnerability. You may be vulnerable even if you are using the shell to connect to a remote system. The way out is to upgrade your shell to the latest version. Patched bash shells are now out from various vendors. The other workaround is to insert WAF signatures to block this vulnerability/exploit in case you are running a website.

In the case of Heartbleed, the best advice was to wait for your favorite sites to patch themselves, then change your passwords. For Shellshock, you should patch your Mac or Linux computer, and then hope that everyone else – especially system administrators and engineers -does the same. Plus, while researchers say they’ve seen the effects of both exploits in the wild, it’s not like people are losing their computers or flooding tech support hotlines with calls about broken computers – not the way we saw back in the early 2000s when viruses made the evening news.

Conclusion:

When you hear about these types of vulnerabilities, they’re worth sitting up and paying attention to, especially if you work in IT, or are in a position to actually do something about it. And if you can patch your own computer, you should. It’s easy to get fatigued when it seems like every week there’s a new hack, more credit card numbers lost, and more passwords to reset, but things aren’t about to change soon, and those hacks deserve at least enough attention to make sure your bases are covered and your data is protected.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Share Article:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Exploiting Command Injection Vulnerability
While the world is shell shocked, our customer are preparing for the weekend

The world is shell-shocked! And while the system owners are busy understanding the vulnerability and are still finding out ways to detect it, attackers are not showing any mercy. We.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!