What Shellshock means for you

Author: Andy Hartwell

You might read online or in the papers about a new vulnerability (or bug) nicknamed “shellshock”. This is the second major vulnerability to enter the news stream this year, after “heartbleed”, and it has wide-reaching consequences.

First off, the TL;DR version for customers hosting their websites with Substrakt. We’ve tested our servers against the issue and are not vulnerable. You can run online tests but these aren’t conclusive, so we’ve run them against our servers via terminal access, and in all cases we’ve come out clean.

If you’re not hosting with us and have any concerns, please get in touch. If we have access to your server we can figure out pretty quickly if you’re vulnerable and help you take steps against it. Otherwise, if you have any questions about it, drop us a comment or contact me on Twitter.

Now, to the actual issue itself. You know those films where a hacker types yellow text onto a black screen? Well, in the real world a computer understands that text using something called a command interpreter. One of those interpreters is called Bash, and it’s 25 years old now. As machines have become more advanced, we’ve been able to program them to use Bash on our behalf, so we can write websites that, now and again will send commands to Bash to make it do certain things, like run complex programs, move files around, that sort of thing.

Very recently a bug was discovered in Bash that meant potentially dangerous code could be run through Bash. Here’s a really good explanation of the kind of thing we’re talking about, but explicitly for the web (it’s well-presented and not over-techy, so worth a watch):

Because websites can run Bash scripts, if someone managed to enter something into a field on a contact form that called a command via Bash, this would create a rather large problem. That’s also an over-simplification, but you get the idea.

The larger concern is that Bash is implemented in lots of different pieces of technology because it’s part of Linux, which is an operating system that can be made very small. That means it could affect lots of different Internet-connected devices (including routers).

More will surface about this in the coming days, possibly weeks. It’s a concern for the larger Internet, not just the web. As ever, If you want to stay up-to-date you can follow @substrakt on Twitter or contact us with any questions.

Stay safe!