Last week, the Linux community was “shocked” to learn about Shellshock, a long-term bug that exists in bash, the command line environment on most Linux servers. The bug is being exploited in the wild to spread via a botnet, which automatically spreads itself to create more infected machines.
The vulnerability affects millions of Linux servers that are connected to the internet and use bash under the hood. Because bash exists at a lower level in the software, it can make other programs vulnerable, even PHP, depending on how the server is configured. We have demonstrated very simple, 5-minute proof-of-concept hacks against less-common PHP configurations.
Linux patches were released, but the early patches were incomplete and did not adequately address all vulnerabilities. SpireTech has patched all our servers, and servers that we manage for clients with the latest updates.
Mac systems running OS X may also be vulnerable, Apple released security updates for these on Sept 29th, but as of this writing they must be manually applied.
Concern remains over many devices that use Linux embedded in firmware, like routers firewalls, and wireless access points. It is not possible to patch these devices without vendor cooperation, and in many cases it is not even possible to know if they are vulnerable. Many of these devices may not even use bash, so we expect that their vulnerabilities will be rare.