Over the past few days you may have heard people talking about the “shellshock” bug. If you haven’t, then chances are you will in days or weeks (or years?) to come. A few months ago we wrote about the Heartbleed bug which was the last Internet bug apocolypse, and so in keeping with that trend, here’s our quick summary on shellshock.
Part of the problem with bugs like these is that there’s a lot of chatter, and not all of it is accurate. There’s already been a lot of great writing about this issue, so I’m going to link to a couple of posts which are worth reading, and talk a little bit about how this issue relates to your websites, for both Ignition Development customers and otherwise.
One of the sources I’m going to reference is a post by a Security Person named Troy Hunt: Everything you need to know about the Shellshock Bash bug. Troy’s post is a little on the technical side for some people, but it’s worth persevering with.
Firstly, what is Shellshock? The very short version is that it’s a bug which allows anyone to remotely execute commands on a vulnerable machine. To be vulnerable the machine needs to be running “Bash”, which is software that’s typically present on Linux/Unix and OSX (that means your Mac!) systems, which can be either servers or normal computers. Bash can also be present in some “devices” such as ADSL routers and Web/IP cameras. There’s more information about Bash in Troy’s post, under the section “What is Bash and why do we need it?”
What does “execute commands” mean, you may ask? Well it can mean a number of things. There’s a lot of really nasty and really clever things that people are going to think of to do with this. So rather than list them, imagine giving thousands of dodgy people access to sit in front of your computer/server and do whatever they want for a few hours with no possibility of comeback from yourself.
Are Ignition Customers Affected
No. Web sites hosted on our internal platform are not affected by this vulnerability. Ignition uses Microsoft Internet Information Services (IIS) on a Windows Server for hosting, which does not use the affected software. Our external customers use their own installations of Microsoft IIS and are also not vulnerable to this bug.
Our upstream provider Sitehost (Twitter) has also been very proactive about this bug, and have been busy this week patching their own systems and non-Windows machines where required.
The above makes it sound like Microsoft machines aren’t at risk, which unfortunately isn’t quite true. In reality it’s a little more complicated than that. As Troy puts it:
All our things are on the Microsoft stack, are we at risk?
Short answer “no”, long answer “yes”. I’ll tackle the easy one first – Bash is not found natively on Windows and whilst there are Bash implementations for Windows, it’s certainly not common and it’s not going to be found on consumer PCs. It’s also not clear if products like win-bash are actually vulnerable to Shellshock in the first place.
The longer answer is that just because you operate in a predominantly Microsoft-centric environment doesn’t mean that you don’t have Bash running on machines servicing other discrete purposes within that environment.
The last part of that quote is why it’s really great for Ignition to be with a security conscious provider like Sitehost.
If you have any questions, please contact us and we’ll be happy to assist.
What if my site isn’t built by Ignition?
Contact your hosting provider or web site developer immediately.
If your site is hosted on Microsoft IIS you’re probably safe, but any other hosting platform is most likely vulnerable to this bug unless they’ve patched. You should feel free to ask them – if they don’t know what you’re talking about, then you should probably take that as a sign.
What about everything else?
It’s probably worth having a think about the devices around your home and/or office. Compile yourself a mental list of things you may be exposing to the Internet. Your router? Your Web camera? What else? Check the manufacturer sites and see if there are any statements about your devices, or even better, if there are any software updates available to patch this issue. Simply thinking about which devices you own may be vulnerable puts you in a better position than most people. Have a read of the “I’m a consumer – what can I do?” section in Troy’s post, especially if you’re a Mac user.
Finally, a quick warning to pay attention to the sources you’re reading and trusting on this. If you’re worried, then read a few different articles and make sure they’re saying the same thing. Don’t take any single source as gospel. And whatever you do, DON’T READ THE COMMENTS. Some of the content in comments sections of even the most reputable blogs are enough to send anyone into a pit of despair.
Link: Everything you need to know about the Shellshock Bash bug (Troy Hunt)
Link: Errata Security blog
Link: National Cyber Awareness System - Vulnerability Summary for CVE-2014-6271