The FFIEC issues “shellshock” vulnerability alert to financial institutions

The Federal Financial Institutions Examination Council (the “FFIEC”) issued an alert advising financial institutions about a material security vulnerability in the Bourne-again shell (Bash) system software widely used in servers and other computing devices that could allow attackers to access and gain control of operating systems. The vulnerability, nicknamed “shellshock,” could expose organizations and individuals to potential fraud, financial loss, or access to confidential information. Any financial institution that provides secure services with Linux or nix variants running a vulnerable version of the Bash shell could be at risk no matter what their vendor mix. Given the widespread use of Bash and the evolving nature of the risk, the FFIEC said that regulators expect financial institutions to perform a risk assessment and address the shellshock vulnerability not only in their own systems, but also with their third-party service providers.