'Bash bug,' aka Shellshock, has no easy fix
Latest computer vulnerability is easily exploited, but there's not much end users can do
The latest computer vulnerability is ranked as one of the most powerful exploits possible in the IT world, and one of the easiest to take advantage of.
But there aren't many direct countermeasures the average home and office user can take, security experts say, because it doesn’t affect the vast majority of end-user computing devices.
“By and large, the majority of internet users run Windows machines, so they’re not impacted,” said Satnam Narang, a security response manager at computer security firm Symantec in California.
The Shellshock exploit, more widely known as the Bash bug because it affects a standard program called Bash, potentially allows hackers to take control of a victim's computer and run almost any operation, from opening, altering and deleting files to shutting down networks and launching attacks on websites.
But Bash can typically only be found on Unix-based devices, such as those running the Mac OS X and Linux operating systems and the servers behind the world’s websites.
Even then, most Macs aren’t vulnerable, Apple said in a statement Friday, because it ships OS X in a configuration that doesn’t allow “remote exploits of Bash.” Some Mac users who have turned on advanced Unix services could be affected, and Apple said it is “working to quickly provide a software update” for those customers."
So what can the average user do to protect against the exploit? Here are five steps:
1. Protect your identity
The biggest risk from the Bash exploit to the average computer user is if a hacker gains access to a company or government server containing thousands of people’s confidential account information, credit card numbers and other personal data. It’s up to the server’s operators to protect against exploits in light of the Bash vulnerability, but anyone can help fend off identity theft or financial fraud by taking standard precautions like signing up for credit monitoring, periodically getting a free credit report and checking it, not giving out personal information to telemarketers or people who pose as them, tightening your Facebook privacy settings, and generally posting less personal information on public websites like LinkedIn or Twitter.
2. Use unique, strong passwords
If a cyber-attacker manages to use the Bash exploit to infiltrate a server containing your login and password info for one of your online accounts (such as email), it would be a cinch to get into others if you use the same password for them all. So be sure to use unique, and strong, passwords for each sensitive website you use, such as banking, email, workplace servers, online shopping and government benefits.
3. Check all your online accounts regularly
The sooner you notice that someone might be hacking into one of your online accounts, the better. So it pays to regularly log in, even if you don’t have a bill to pay or tax statement to download. You’ll likely be able to notice immediately whether your password has been changed and whether something’s amiss with your account balances or other details.
4. Wait for companies to recommend patches and password changes
The companies behind the world’s most important computer servers will be checking over the coming days whether their systems are vulnerable to the Bash bug. Once they’ve figured things out and potentially upgraded their software, many of them may tell their customers to change to a new password or possibly patch some software. This could happen with home wireless routers, too, many of which run a version of Unix but only a fraction of which have the software that would make them exploitable. “Some home routers are potentially affected, but it’s hard to quantify exactly how many,” Symantec’s Narang said. “So if you have a home router and the manufacturer issues an update, you should be patching it.”
5. If you run Linux, Unix or a server, patch it
If you’re one of the small percentage of end users running Linux or another non-Mac Unix-based operating system on your machine, or a server, you’re probably savvy enough already to be patching it. But just in case, companies like Red Hat and Akamai have released information on how to at least partially protect yourself.
For mobile devices like smartphones and tablets, Narang said the average consumer doesn’t need to fret. Those gadgets would almost never come installed with a shell program like Bash on them. People who jailbreak their Android or iOS device might be at risk, though, and they should take steps to determine whether any software they installed would put them at risk – and if so, consider patching or reinstalling the standard operating system.
It’s not at all clear yet how widespread the Shellshock problem may be. So far, Narang said, security researchers have seen malicious hackers use the exploit to try to set up a so-called denial-of-service attack, where they take down a website by repeatedly requesting information from it. But, he warned, “the possibilities are endless once you are on a machine. You can have free rein in some cases.”