Before getting in to the technical stuff, the past couple days we have been busy behind the scenes securing all the servers we manage, so if you are a client that has Shared Hosting, Enterprise Hosting, Reseller Hosting, or any Server or Virtual Server that we manage, we have applied all the necessary patches and are continuing to monitor for any further updates.
For those of you that have one of our self managed servers or virtual servers, there is a bit of work ahead. Now we are happy to help with any questions you have in applying the necessary patches to your server.
For detailed information, please see the following:
September 24, 2014 Update:
September 25, 2014 Update:
We will continue to post links and updates as information becomes available.
September 24, 2014
Discovered by Stephane Chazelas, the Bash Bug vulnerability, nicknamed ShellShock, is a flaw that has existed for around 20 years that has only been recently found. It affects the way Bash evaluates certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands remotely to web servers. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. The web server is only vulnerable in this attack if the bash shell (or interpreter) is capable of passing commands remotely over the internet. And this is how your private information could be put at risk.
The exploit affects servers and systems that use the language interpreter called Bash to process commands. Certain versions of Linux and Unix use Bash, and Mac OS X 10 Mavericks also uses it since it’s based on an underlying Unix platform.
Heartbleed or Shellshock. Which one is Worse?
While Shellshock is not going to affect as many devices as Heartbleed did, the far reaching impact of both are severe. Heartbleed was restricted to allowing those nasty guys to only steal information, whereas Shellshock allows Bash to remotely execute commands (and steal information too). So the far reaching effect of Shellshock is vast, with one of the most dangerous aspects being that the hacker can easily find out what is on the server.
September 25, 2014
As has been widely expected the initial patch would not be the last. The complete patch has now been made (CVE-2014-7169) and has been applied to all Shared Hosting, Enterprise Hosting, Reseller Hosting, or any Server or Virtual Server that we manage.
Reports are surfacing as well that Shellshock has become “weaponized”, which means that malware is now being spread through this vulnerability.
For our self managed clients, please ensure you apply these updates as soon as possible.