Privacy Commissioner warns business to fix Shellshock

Australia's privacy commissioner has warned government agencies and businesses to protect their IT systems against the Shellshock vulnerability to avoid falling foul of the Privacy Act.

The Shellshock vulnerability in the commonly-used Bash command line interpreter is expected to be more dangerous than the OpenSSL Heartbleed flaw because of the large amount of software that interacts with the shell.

Australian Privacy Commissioner Timothy Pilgrim today made it clear he expects agencies and businesses to take action to bolster their systems against Shellshock in order to meet their obligations under the Act.

"These obligations include regularly monitoring the operation and effectiveness of ICT security measures to ensure they remain responsive to changing threats, vulnerabilities and other issues that may impact the security of personal information," Pilgrim said. 

"Where a vulnerability has been identified, patches and software upgrades should be rolled out as soon as possible."

Pilgrim referred potentially affected organisations to the Office of the Australian Information Commissioner's Guide to information security for more information on the steps they are expected to take.

Australia’s Computer Emergency Response Team (CERT Australia) also advised that businesses monitor their systems and act quickly on software updates issued by vendors.

"Details regarding the issue and its potential impact are evolving, and should be closely watched by those who believe their networks may be vulnerable," it said in an advisory.

CERT Australia recommended organisations patch all affected internet-facing systems as soon as possible, monitor such systems for suspicious activity, block unnecessary inbound traffic at the firewall and disable unnecessary services, and ensure logging and auditing functionality is enabled and actively monitored.

All versions of Bash since 1.14 (released in 1995) are affected, as are all applications which utilise the shell.

A number of vulnerabilities have already been identified and initial patches have been issued, including today by Apple for OS X Mountain Lion 10.8.5 and Lion 10.7.5.