Shellshock is a vulnerability in the GNU Bash shell that enables remote attackers to gain the ability to execute remote commands on a system. There are currently a few related security advisories available about this issue:
How ProjectLocker has responded to Shellshock
Once we became aware of Shellshock, we responded by rapidly assessing our risk. At this time, we do not believe that our production systems were at significant risk due to the particular software stack we use to serve our applications. Nonetheless, we believe that the only way to be sure is to maintain current security patches, as is our standard practice.
Once patches for Bash became available, we applied them to all customer-facing servers within 24 hours, with all servers patched within 48 hours of patches becoming available. Note that in some cases, we patched systems prior to patches making their way into their respective distributions.
We'll continue to update our systems in response to further developments.
What You Should Do
If your organization runs machines that have Bash installed (this includes most Linux/Unix machines, including Macs), you should ensure that those systems are updated immediately. Shellshock is a potentially serious security bug, and you should patch your systems to address it.
The good folks at shellshocker.net have assembled a set of details about the vulnerability, as well as test scripts to determine whether your systems are exposde. Additionally, they have instructions for patching (or rebuilding) Bash to protect your systems.
Subscribe via RSS
