The majority of Fortune 1000 and Global 2000 companies have already deployed, or are now deploying, Shellshock patches to fend off code attacks, according to cloud security firm CloudPassage.
The Shellshock vulnerability allows remote attackers to execute arbitrary code on servers using a variety of techniques, with the CVE-2014-6271 weakness in the Bourne-Again Shell (Bash) affecting most Unix and Linux-based systems.
"The Shellshock vulnerability is one of the most pervasive threats we’ve seen, certainly greater than Heartbleed," said Carson Sweet, chief executive of CloudPassage. "As it takes advantage of a vulnerability in Unix\Linux, it can affect everything from critical business systems to laptops, from mobiles and TVs to soda machines and point of sale systems. Within just a few hours, there were multiple instances of malware taking advantage of this weakness."
Forbes Global 2000 is an annual ranking of the top 2,000 public companies in the world, while Fortune 1000 is a list of the largest US companies, ranked on revenues alone.
CloudPassage estimates are based on the number of firms that have deployed patches to resolved the main CVE-2014-6271 vulnerability. These patches are capable of blocking nefarious exploits, but were quickly discovered to be incomplete, prompting the release of an update to address secondary flaws in Bash last weekend, as we explained previously here. ®