'Shellshock' Bash Bug (CVE-2014-6271)

'Shellshock' Bash Bug (CVE-2014-6271). What is it?

Bash, short for the Bourne again shell, is an embedded command-line shell program present on most Linux, UNIX and Mac OS X systems for evaluating and executing commands from other programs. The flaw allows an attacker to trick Web servers into running any commands and execute any code on the vulnerable system.

How does it affect the vulnerable system?

Unlike Heartbleed, which was really about attackers getting information from machines, the Bash Bug allows attackers to execute code on the affected devices, mostly Web servers, so hackers can potentially take over the operating system, access confidential information, make changes, etc.

Was Hushmail affected?

No. We do not invoke a shell from an HTTP request from the Internet, and we do not expose SSH to the Internet, so we are not vulnerable to this attack via those services. The limited number of other services that we expose to the Internet were investigated and determined not to be vulnerable.

In addition, all Internet facing systems were fully patched as of 5PM PST September 24, 2014.