There is a new bug in town, it’s name is Shellshock. Remember Heartbleed? It might be worse than Heartbleed, so you should probably be aware of how it might affect you. You probably won’t understand all of the specifics and technical details of the bug, so we’ll try and lay it out in a less technical explanation.
What is it?
Shellshock exploits the Unix system Bash command shell by remotely executing code. The Bash command is one of the most common applications in popular UNIX systems like Mac OS X or Linux (Windows is safe from this bug). It’s actually been around for 22 years, but it was recently discovered by Akamai Technologies security researcher Stephane Chazelas.
Do I have to worry?
Shellshock can execute code from simple Internet devices, things like your router, IP camera, internet connected appliances, etc. Your personal computer is probably safe because you are running a firewall and so you’re not allowing external applications to execute. Web servers can be affected, but those are maintained on a normal basis by admins. Patches have been released everywhere to combat this bug, so chances are your IT admin has done the work for you. This bug does not affect Windows, and Apple has recently released patches for Mac.
Does it affect SmartFile?
Due to the nature of the SmartFile system design, our application was not vulnerable to the Shellshock bug. Regardless, we still want to reduce any possible attack vectors as they’re found. SmartFile runs a module, as part of our automated deployment, that will update individual packages on an ad-hoc basis specifically for security issues. We updated this module to watch for bash updates and then updated all internally effected servers were updated within 30min of a patched version of bash being made available. Even as additional patched versions were made available, SmartFile continued to be patched within approximately 30min.
Conclusion
Software and hardware companies have released patches to help fix their vulnerabilities to this bug, so make sure you download and install those. As always, be conscious of your passwords and change them normally to stay safe. Shellshock is a dangerous bug and it won’t be the last, but it is a good exercise in security awareness for everyone. Stay safe!