Security advice – Shellshock Unix Bash Bug
Shellshock Unix Bash Bug – Informational purposes only. No action is required.
We wish to advise that we are aware of the security vulnerability and every web server that we manage has been patched. Hence, if you have shared hosting or reseller hosting with us, your website(s) are NOT at risk. If you have a managed web server with us, your server is NOT at risk.
We’ve been contacted by several customers asking about the recently discovered vulnerability in Unix Bash shell. The vulnerability is known as the Shell Shock Unix Flaw. It has been discovered by security experts and it is thought to affect millions of Web-connected devices, Web servers, and Web-powered services run on Linux distributions equipped with the Bash shell, and Mac OS X Maverick operating system is included in this.
However it is clear that although it is on the same scale as the quite recent vulnerability shown from the Heartbleed bug, that we should not be panicking just yet:
“We’re not keen to jump on the ‘Heartbleed 2.0′ bandwagon. The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild. Heartbleed was much easier to conclusively test and the impact way more widespread.”
So the advice from the experts and security researchers is to wait for the updates on any devices and update them as promptly as possible. Ensure that you are aware of any emails asking for details or access to your machine as they can exploit the vulnerability if they gain access. See Troy Hunt’s article which breaks down the main points: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Check out: http://www.techcentral.ie/bigger-heartbleed-shellshock-flaw-leaves-os-x-linux-open-attack/ for more information on the bug as it comes in and also keep an eye out for any updates on our blog. We will update customers with relevant information as it comes in. The link also provides a test code to run on ShellShock to test for the bug to see if your device is vulnerable. This only needs to be done if you know what you are accessing. The important thing to stress is that this is not as severe even though it may be even more widespread than Heartbleed. Do not panic! JSWeb are working to ensure we patch our servers with any further fixes as they emerge and we will update our customers accordingly.
Please do not hesitate to contact our support team if you have any questions or concerns.