informa
Commentary

Poll: Patching Is Primary Response to Shellshock

As potential threats mount, Dark Reading community members home in on patching infrastructure but not devices, according to our latest poll.

In the month since the disclosure of "Shellshock," the critical remote command execution Bash bug affecting practically everything from servers to sensors to storage, members of the Dark Reading community are putting their principal efforts into patching, according to our latest online poll.

Rated as a 10 out of 10 for its impact and ease of exploitability by the Common Vulnerability Scoring System, in the intervening weeks Shellshock has already been weaponized through Mayhem, an existing botnet malware and found targeting QNAP network-attached storage devices in in-the-wild exploits.

In the meantime, related bugs continue to be discovered, a harbinger that Internet pioneer Paul Vixie predicts marks the beginning of a future of 'Hair On Fire' bugs so vast that "it will take 10 years to patch most computers affected by the bug" and the rest -- including embedded devices and sensors -- "will be vulnerable for the lifespans of all humans now living."

Sounds daunting, for sure. It's no wonder that Dark Reading respondents were so busy patching and checking there was little time to even take our online Shellshocked & Bashed poll, which had one of the smallest response rates -- a mere 214 -- since we starting taking the pulse of the community on current events and topical issues last spring.

Our question this time was fairly direct. We wanted to know what steps members are taking or planning to take in response to Shellshock and Bash; they could respond to as many answers as applied.

The magnitude of the problem was reflected in the number-one response: patching. Nearly three out of four respondents report that they were "patching what we can and trying to stay up to date on new vulnerabilities." But bug fatigue also was evident. Only slightly more than half of poll takers say they are checking vendors' patch information against the CVEs.

The device issue proved to be more of a conundrum. Just 20% of respondents are bothering to take an inventory of smart devices in their company, a step recommended by several experts. Slightly fewer -– another 19% –- are planning to replace non-upgradeable or un-auditable devices with devices they can control.

Even more of a shock to me was the 16% of respondents who say they are doing nothing. But I take with a grain of salt those of you who say you don't know what Shellshock or Bash is. So let me ask the question another way, an essay question if you will. Is the industry overreacting to Shellshock? And if you're not looking beyond infrastructure patching, why aren't you? Let's chat about it in the comments section below.

Recommended Reading: