On September 24th, security researchers disclosed yet another critical code flaw with the capability to negatively impact the internet, this time in the UNIX bash shell, a command line interpreter used in many of the servers that comprise the web. Dubbed Shellshock by the information security community, this security bug leaves servers running any of the seven affected versions of Bash, which includes Mac OS X users, vulnerable to attack.
While this bug doesn’t affect the vast majority of Mac users--no worries, teachers, your iPads and iPhones are safe, and so are your Macbooks unless you’ve set them up for advanced server configuration--it does have the potential to pose a unique set of difficulties for schools. Some security researchers even consider this bug to be bigger than Heartbleed, another catastrophic flaw discovered in April.
Over the past few years, many schools have abandoned running their own servers in favor of adopting cloud-based tools that do not require expensive hardware or upkeep. For schools that do maintain their own servers, patching and configuration management are low priorities for technology coordinators and district IT staff. If your school or district is running its own servers on a UNIX framework, however, the information that you’re storing on those servers is at potentially at risk.
- An attacker could use the vulnerability to access your servers, and potentially read whatever is stored in their memory. If servers used to store information for your school’s student information system, personal identification information, or other academic records are accessed, this could result in a breach of student privacy that violates FERPA.
- Additionally, an attacker could access an unpatched server and use it to serve malware to anyone who sends that server a command. While this may seem unlikely, there are many cases of malware and worms lurking around the web due to this security hole. Any malware installed through this vulnerability has the potential to easily wreak havoc on your network infrastructure, collect account credentials, and gather enough information for an attacker to gain unauthorized access to other parts of your network. This malware could also be served to students or parents accessing a school-hosted site, putting their machines and personal information at risk.
If you’re an educator, administrator, or IT staff in charge of running servers for your district, here are a few things that you can do to protect your students and their data from Shellshock:
- Test to see if your servers are vulnerable. This article from ReadWriteWeb has great step-by-step instructions that will walk users through how to patch the vulnerability.
- If your servers are vulnerable, here are a few ways you can patch them. Security professionals have had a rough time patching this vulnerability over the past few days, so you may want to keep an eye on any patches you have applied to make sure that they are safe.
- Update any Macs in your district using OS X by downloading Apple’s security update released on September 29th. The risk to the average Mac user is low, and even if you are not using your machine with an advanced UNIX setup, it’s best to cover all of your bases and update your operating system now.
This year has been an unprecedented year in security breaches and security vulnerability discover; so many exposures have been disclosed that the systems used to track them are being restructured to account for the massive growth in vulnerability reports. Though many of the vulnerabilities that are found and reported may not affect the daily work of educators, those that affect critical internet infrastructures have the potential to put student and educator privacy at risk.