A critical security vulnerability was announced today, affecting a system shell used by the vast majority of Internet servers. The vulnerability allows remote hackers to run code on a system without authorization (somewhat like having a virus, but without any malicious code being installed). We are taking this very seriously and are in the process of applying security patches to all Spiral services.
Even Android smartphones may require a system update to address this, though it’s not known yet the extent of that vulnerability.
We will update this post as systems are secured and more information about Macintosh patches is released.
Update, 9/25: All Spiral servers were secured last night before the first exploits were published, though a smaller secondary vulnerability was identified and we are waiting for further official patches before declaring the issue fully resolved.
The primary concern for Macintosh users would be if you are running external services on your machine, such as a web server. Although some websites are suggesting an immediate recompile of the Mac OS X bash binary, it is likely that the average Mac user should wait for an official patch from Apple rather than risk damaging their own system.
Best available information is that smartphones are not vulnerable out of the box, but specific applications may install or use the bash shell that’s at the root of the problem.
The vulnerability does not appear to exist in the Pace DSL modems that we sell, but we are currently working to confirm that.