Here’s what you need to know about the recently-discovered Bash vulnerability, a.k.a. Shellshock:
What is the Shellshock bug?
It’s a vulnerability, disclosed on September 24, 2014, that affects GNU Bash, and allows remote attackers to execute arbitrary code given certain conditions, using environment variable assignments. (If you’re in to reading Ars, their write-up breaks it down nicely.)
Why is the Bash vulnerability important?
As GNU Bash is installed on most Unix, Linux and Mac OS X systems (servers as well as personal computers), and the vulnerability has existed since 1994, it can affect most of the websites and Internet services you use daily.
Additionally, this bug can allow an attacker to take control of the server (accessing, modifying, or deleting arbitrary files, running programs, etc.). As such, it can be considered more harmful than Heartbleed, which only allowed peeking at a server’s data without being able to take action.
How does this affect Dashlane?
Dashlane does not use Bash on servers that are accessible from the Internet. Additionally, we applied the latest patch to Bash, so that we don’t become vulnerable should we start to use it in the future. On that front, all’s well.
What should you do?
The odds of this personally impacting you are slim. (PC World has a great write-up on this.) Sites and services that you use, however, need to do their part to employ the patch. Once that happens, you can update your passwords to be on the safe side. And while this is all getting sorted, you should not use or remove unsecured WiFi connections from your devices. (Same as the CCS Injection vulnerability.)