The Shellshock Security Flaw: What You Need to Know
The infrastructure of many computer systems was recently discovered to have possessed, for decades, a flaw that leaves it open and vulnerable to hackers.
The Shellshock bug is a flaw discovered in mid-September but thought to have existed since 1992. Shellshock was given the highest warning level from the National Institute of Standards and Technology because it’s simple enough to be easily exploited, but powerful enough for severe results. It’s a nasty combination.
It exists in an extremely basic, extremely common program fundamental to many computer systems. According to the New York Times, perhaps as many as 70 percent. As Gizmodo put it, “the distribution of the bug is unknowably vast. [It] is baked into so many systems and has been around for so long that in all likelihood, the bug will never be fully fixed. This is vulnerable software that has been spreading across the technological world for years and years.”
If this sounds worrisome, it is. However, there are a few caveats.
- Shellshock does not affect Windows-based servers, only UNIX-, Linux- and Mac-based web servers.
- Shellshock is a security flaw, not a virus. While having the Shellshock bug, therefore, is an open door to a problem, it is not a problem in itself.
- To exploit Shellshock, a hacker must first gain access into the computer or server. There are typically several layers of physical and virtual security in place to prevent that.
The likely targets of a hacker exploiting Shellshock are an individual using an unsecured WiFi connection on a UNIX- or Linux-based computer or a Mac running an older OS, or more likely, a corporate Internet server that has not been patched, updated and secured.
What’s the Impact to Pharma Companies?
We recommend that pharmas check that their web servers and those of their hosting providers and other vendors have been checked and updated to correct for the Shellshock vulnerability.
- Restricts server access, both virtually and physically
- Monitors for unauthorized access attempts
- Installed all Shellshock patches provided by Red Hat to Bash, the affected software, on our three Red Hat Linux-based production servers
- Tested and proven the elimination of Shellshock on those servers
- Continuing to monitor the issue
- Immediately making necessary adjustments and updates as appropriate