Evernote and the Shellshock security bug?

[Thorz 52]

Is Evernote affected by the Shellshock bug? Have not seen any statement in your webpage, blog, social media or here. I use it on iOS, Mac and Windows.

 

More infor on Shellshock:

 

http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/

[gazumped 11,652]

This is a user forum,  so you might be better off raising this query as a support request (see below).  Employees do read the forums,  but you're not guaranteed a quick (or any) answer...

[JMichaelTX 4,117]

Is Evernote affected by the Shellshock bug? Have not seen any statement in your webpage, blog, social media or here. I use it on iOS, Mac and Windows.

 

More infor on Shellshock:

 

http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/

 

Thanks for the headsup.  This is an issue for ALL USERS, not just Evernote.  In particular Mac and Linux machines are vunerable.

 

From http://mashable.com/2014/09/25/shellshock-bash-bug/

 

 

 

Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn't appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.

What makes this particular bug problematic is the fact that Bash is the default shell in Mac OS X and many Linux machines, meaning it's also used in many web servers. 

[JMichaelTX 4,117]

Note:  I moved this thread from the Evernote/iOS forum to the General Discussion forum because it applies to all Evernote platforms/clients.

[JMichaelTX 4,117]

Some good news for most Mac Users -- you have a very low risk of being infected.

 

From Safe from Shellshock: How to protect your home computer from the Bash shell bug

 

 

 

How to keep your computer safe from the Shellshock bug

Oh no! Your system is still vulnerable to Shellshock! What should you do now?

 

Nothing drastic, if you’re an average computer user. If your computer is tucked safely behind a firewall—as it should be—the impact on you should be minimal, since attackers won’t have any way to execute malicious code through the Bash shell on your system unless they trick you into running the command locally somehow. Shellshock is more dangerous for web servers and devices that "listen" for Internet commands than home PCs.

Apple drove that point home in its response to the Shellshock bug, which was provided to iMore:

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities

… With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

 

[JimKn 30]

Anyone know if other shells are at risk? I run ZSH but when I run the test code (env x='() { :;}; echo vulnerable' bash -c "echo this is a test") in ZSH it tells me it is vulnerable. I'm assuming that maybe ZSH just doesn't parse the commands the same and I am getting a false positive but I just wanted to see if anyone was sure.  One of the reasons I think it is a false positive is because my router runs DD-WRT and supposedly that runs BusyBox instead of Bash and even though the DD-WRT community says it is not vulnerable the same test tells me it is.

[gbarry 2,658]

Hi all--we have an update on this on our blog here: http://blog.evernote.com/blog/2014/09/29/evernote-service-not-affected-bash-shellshock-bug/

[JMichaelTX 4,117]

Thanks, Geoff.  Looks like Evernote is in good shape.

[JimKn 30]

OS X bash Update 1.0

 

OS X Mavericks

http://support.apple.com/kb/DL1769

 

OS X Mountain Lion

http://support.apple.com/kb/DL1768

 

OS X Lion

http://support.apple.com/kb/DL1767