A critical security vulnerability (now known as “Shellshock”) was announced today, affecting a system shell used by the vast majority of Internet servers. The vulnerability allows remote hackers to run code on a system without authorization (somewhat like having a virus, but without any malicious code being installed). We are taking this very seriously and are in the process of applying security patches to all Spiral services.
Even Android smartphones may require a system update to address this, though it’s not known yet the extent of that vulnerability.
We will update this post as systems are secured and more information about Macintosh patches is released.
Update, 9/25: All Spiral servers were secured last night before the first exploits were published, though a smaller secondary vulnerability was identified and we are waiting for further official patches before declaring the issue fully resolved.
The primary concern for Macintosh users would be if you are running external services on your machine, such as a web server. Although some websites are suggesting an immediate recompile of the Mac OS X bash binary, it is likely that the average Mac user should wait for an official patch from Apple rather than risk damaging their own system.
Best available information is that smartphones are not vulnerable out of the box, but specific applications may install or use the bash shell that’s at the root of the problem.
The vulnerability does not appear to exist in the Pace DSL modems that we sell, but we are currently working to confirm that.
Update, 9/30: Apple has released a patch for Mac OS X (versions 10.7 and up), which fixes most of the vulnerabilities identified. If you use a Macintosh computer, make certain all recent software updates have been applied.
The final patches to secure against all known variations of the Shellshock bug have been applied to all Spiral servers, and we are continuing to monitor for related outbreaks or exploits.