Friday 26 September 2014

Some government computer systems taken offline after Shellshock security bug discovery

Photo illustration: text from the Bash command-line program overtop a computer user\'s hands.
The federal government has rushed to update software across its computer systems and taken other vulnerable systems offline after a critical network security flaw known as “Shellshock” was disclosed Wednesday.
The Shellshock bug lets people issue commands using the Bash shell program, which is shipped with most Linux and UNIX distributions and Apple’s Mac OS X operating system. That leaves everything from personal computers to routers and many other devices that connect to the internet vulnerable to exploitation.
“When the government became aware of this vulnerability, all federal government organizations were directed by the Chief Information Officer for the Government of Canada to patch affected systems on a priority basis,” Kelly James of the Treasury Board of Canada Secretariat said Thursday afternoon in an email to Postmedia.
“For vulnerable systems where no patch is available, departments have been directed to take those systems offline.”
The Treasury Board of Canada Secretariat handles internal administration for much of the federal government.
The federal government was criticized in April for being slow to notify the public about the Heartbleed bug discovered in the OpenSSL encryption library, waiting several days even as some 900 Social Insurance Numbers were copied from the Canada Revenue Agency website. A 19-year-old computer science student at Western University in London, Ont., was charged with one count of unauthorized use of a computer and one count of mischief in relation to data over the incident.
Some security experts warn that Shellshock could prove more harmful than the Heartbleed bug. Whereas Heartbleed allowed third parties to “listen in” on users’ activity, Shellshock could let hackers execute malicious code on remote machines that use the vulnerable versions of Bash, putting much of the internet at risk.
Updates for the affected Bash software have not completely patched the vulnerability yet, according to network administrators, and attacks by hackers exploiting the Shellshock flaw have already been carried out. The U.S. Department of Homeland Security has listed the Shellshock bug in its national vulnerability database under the identifier “CVE-2014-6271″ — with a severity rating of 10 out of 10.
The vulnerability was discovered last week by Stephane Chazelas, a French programmer working in Scotland who told the Globe and Mail he checked Bash after finding a similar flaw in other software. The bug was reportedly part of the code for over two decades before it was discovered and it could take months before its full impact is known.

No comments:

Post a Comment