Financial institutions should quickly address the "Shellshock" vulnerability by applying patches to their Bash software, the Federal Financial Institutions Examination Council said Friday.

Bash, or Bourne-again Shell-a common software tool found in most UNIX, Linux, and Mac OS X operating systems and which also may be installed on Windows servers-is used to execute a sequence of commands. The "Shellshock" vulnerability could allow an attacker to execute malicious code on Bash and gain control over a targeted system. The pervasive use of Bash and the potential for this vulnerability to be automated presents a material risk.

Financial institutions and their service providers should assess the risk to their infrastructures and execute mitigation activities with appropriate urgency. Financial institutions should identify all servers, systems, and appliances that use the vulnerable versions of Bash and follow appropriate patch management practices.  

Financial institutions relying on third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.

CFPB Brings the Hammer 

Consumer Financial Protection Bureau (CFPB) took action against Michigan-based Flagstar Bank for violating the CFPB's new mortgage servicing rules by illegally blocking borrowers' attempts to save their homes. The CFPB is ordering Flagstar to halt its illegal activities, pay $27.5 million to victims, and pay a $10 million fine.

The Bureau's examinations and investigation found that from 2011 to the present, Flagstar failed to devote sufficient resources to administering loss mitigation programs for distressed homeowners. For example, in 2011, Flagstar had 13,000 active loss mitigation applications but only assigned 25 full-time employees and a third-party vendor in India to review them. For a time, it took the staff up to nine months to review a single application. In Flagstar's loss mitigation call center, the average call wait time was 25 minutes and the average call abandonment rate was almost 50 percent.  

Specifically, the Bureau found that Flagstar:  

• Closed borrower applications due to its own excessive delays 
• Delayed approving or denying borrower applications
• Failed to alert borrowers about incomplete applications 
• Miscalculated incomes 
• Denied applications for unspecified reasons 
• Misinformed borrowers about their appeal rights
• Put borrowers in trial period purgatory

Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB has the authority to take action against institutions violating the January 2014 mortgage servicing rules, and it has authority to take action against institutions engaging in unfair, deceptive, or abusive practices.    

2013 Real Estate Settlement Procedures Act (Regulation X) and Truth in Lending Act (Regulation Z) Mortgage Servicing Final Rules