On September 26, 2014, the Federal Financial Institutions Examination Council (“FFIEC”) issued an alert notifying financial institutions of a material security vulnerability in Bourne-again shell system software that could allow attackers to gain access and control of operating systems. The FFIEC alert outlines the risks associated with the vulnerability (known as “Shellshock”) and advises financial institutions to take appropriate risk mitigation steps. Examples of appropriate risk mitigations steps include: (i) identifying vulnerable internal systems and services; (ii) following appropriate patch management practices; and (iii) ensuring that third-party vendors take appropriate risk mitigation steps and monitoring the status of the vendors’ efforts.

The full text of the FFIEC alert is available at:  

http://www.ffiec.gov/press/PDF/FFIEC_JointStatement_BASH_Shellshock_Vuln erability.pdf.