Bash Shellshock Bug Causes Attacks Around the World
The Internet community was shocked with the September 24 announcement of a major security bug affecting the Bash shell. The Shellshock bug (originally called Bashdoor) was first discovered on September 12 and was assigned the CVE identifier CVE-2014-6271, but the news was embargoed until the 24th so major OS vendor could prepare security patches.
The Shellshock bug causes Bash to execute commands stored in specially crafted environment variables. The widespread use of Bash as a command shell for Linux and other Unix-based systems, and the importance of Bash as a tool for managing server systems on the Internet, has caused some security experts to predict that Shellshock will cause far more damage than the much-analyzed Heartbleed bug that dominated the news earlier this year.
After the initial announcement, Shellshock continued to fill the tech headlines. Major Linux distros announced patches, and even Apple announced concerns for their Unix-like Mac OS X systems. More difficult to fix are the many network routers and appliances that are running some form of Linux with Bash installed for maintenance and configuration. Oracle and Cisco announced dozens of appliances potentially could be compromised by Shellshock, and in many cases, the patches would need to be developed and installed individually. (Consult your vendor if you have a device that might be affected.)
By the end of the week, attackers were already appearing in the wild, and attackers deployed scanners to seek out systems that might have the Shellshock vulnerability. On September 29, security vendor Incapsula announced that it had deflected 217,089 exploit attempts on over 4,115 domains with new attacks arriving at a rate of 1,970 per hour.
What to do now? Patch your systems ASAP!