Tuesday, October 7, 2014 - Almanac Vol. 61, No. 8
On Wednesday, September 24, a computer vulnerability nicknamed “Shellshock” was announced. Because it has the potential to affect many millions of critical systems worldwide, it is being compared in scope to the recent Heartbleed bug. The vulnerability exists within BASH, the UNIX command line shell used by a large majority of Linux and Unix based operating systems, including the majority of servers on the internet that host websites. While this bug was just recently discovered, the issue has been in the code for over 20 years, affecting any system that has not been updated since patches began to be released on Thursday.
As soon as the bug was disclosed, Penn IT staff began identifying and remediating affected computers, focusing on critical systems first. In addition to scanning potentially vulnerable systems, ISC Information Security is actively monitoring network traffic for attacks on Penn systems.
Anyone who runs a Linux or Unix based system is being asked to patch their system as soon as possible. Mac OS X systems may also be vulnerable, but in most cases users are okay to wait for Apple to release a patch—the only exception being users who have enabled advanced services (SSH, web server, etc.); most installations should be resistant to attacks.
As is often the case in these situations, please be on the lookout for fraudulent email on this topic claiming to be from companies with which you do business (including Penn), as criminals may use this event to create phishing email messages designed to trick people into divulging their passwords. No legitimate party from Penn will ever ask you to share your password.
If you have any questions about Shellshock please contact: firstname.lastname@example.org
For more information about Shellshock, please see the following summary article: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html