Another month and another internet-ending security bug has been published to the world; this one is called Shellshock. Here's the good news: Vision Critical is not affected by the problem.
We, like most companies, became aware of this potential security issue on September 24th. We became aware of it because we monitor various news sources, mailing lists and security feeds. Our security and operations staff immediately started evaluating the issue and determined that we were not affected by the bug. However, as a prudent measure, we elected to deploy the software update to any systems running an older version of the software component that had the bug.
How did we know we were not affected?
The bug exists within a piece of software that runs on Unix and Unix-like operating systems (such as Linux); the software is called Bash (stands for Bourne-again Shell; a nerdy in-joke) and provides users with a shell or terminal interface to run commands and scripts in. For those of you not familiar with a shell, think of it as a command line or text-driven interface for controlling a computer. Details on Bash are available on Wikipedia.
Our core products all run on top of Windows servers, which, by default, does not run Bash and we haven't installed Bash on our Windows servers. So in short, the systems that provide services to our customers and their community members are not running the vulnerable pieces of software.
Why did we patch anyway?
We do run a few Linux servers and appliances in our environment which they provide supporting infrastructure. We know they don't take input from the unsafe places (like the internet) but we felt it prudent to update the software as precaution. We wanted to be 100% safe rather than be sorry down the road. We deployed the updates quickly the next day. We also contacted our various partners that provide services to us and confirmed they had promptly attended to the matter.
How bad is this bug?
It's bad, if you run a service (such as a web server or a mail server) on the internet that takes input from users on the internet and that input is run through a Bash script. The bug could result in the computer being taken over and under the complete control of criminals (read: hackers). Good news is, we don't have any systems that take input from the internet and pass it to Bash scripts. Wikipedia has more details.
The takeaway for our customers and our community members is that we take security seriously, we monitor for issues and we respond quickly. Our goal is to deliver secure communities that provide a safe place for companies to engage their customers and for people to engage with each other; we get that you're trusting us with your data.
I've purposefully glossed over some of the technical details about this, so if you or your security team would like to talk more about this then please reach out to me through your customer success manager.
Photo credit: openclipart.org