Top US financial regulators want banks to Shellshock-proof their software

Top financial regulators in the US have called on banks to update their software immediately to protect against the Shellshock bug.

International Business Times reported that failure to do so could make them vulnerable to losses due to cyber fraud.

Shellshock, the newly-uncovered security hole found deeply embedded in the world's computer systems, could have a major impact on global cyber security, say experts.

A number of computer operating systems that use Bash, or the Bourne-again shell of Unix are vulnerable to Shellshock. The open-source software is the basis of numerous computer software systems worldwide, giving it an enormous potential impact on the world's computer systems.

According to a Reuters report yesterday, the pervasive use of Bash and the potential for this vulnerability to be automated presented a material risk, the Federal Financial Institutions Examinations Council said.

The FFIEC is operated between the Federal Reserve, the Federal Deposit Insurance Corporation, and a host of other US financial agencies.

The group recommended that banks needed to  quickly identify which of their systems used Bash, and patch them to protect against security threats. They also needed to look into third-party software to check for security holes.

Meanwhile, the possible risk of cyber criminals exploiting the bug known as GNU Bourne Again Shell, also known as Bash or Shellshock, was being closely monitored by local IT regulators the Infocomm Development Authority of Singapore (IDA), Channel NewsAsia reported.

In response to a query by the channel, a spokesperson said yesterday that IDA was ''aware'' of the Bash vulnerability and was ''closely monitoring the situation''. She added, the IDA would like to reassure the public that government agencies were taking the necessary security measures to ensure the integrity of their websites and e-services.

The IDA spokesperson called on IT system administrators to focus on systems with Bash shells that could be remotely accessed and immediately apply the necessary patches. She added, if patches for these systems were not yet available, administrators should consider closing off the affected services, or using alternative shells.

The Singapore Computer Emergency Response Team (SingCERT) meantime, detailed steps for system administrators to check if their Bash shells were at risk, adding that the vulnerability could be exploited in various ways. For instance, network-based attackers could exploit vulnerable web servers that used Common Gateway Interface or through applications such as OpenSSH and DHCP.