Jump to content
Thorz

Evernote and the Shellshock security bug?

Recommended Posts

This is a user forum,  so you might be better off raising this query as a support request (see below).  Employees do read the forums,  but you're not guaranteed a quick (or any) answer...

Share this post


Link to post

Is Evernote affected by the Shellshock bug? Have not seen any statement in your webpage, blog, social media or here. I use it on iOS, Mac and Windows.

 

More infor on Shellshock:

 

http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/

 

Thanks for the headsup.  This is an issue for ALL USERS, not just Evernote.  In particular Mac and Linux machines are vunerable.

 

From http://mashable.com/2014/09/25/shellshock-bash-bug/

 

 

 

Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn't appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.

What makes this particular bug problematic is the fact that Bash is the default shell in Mac OS X and many Linux machines, meaning it's also used in many web servers. 

Share this post


Link to post

Note:  I moved this thread from the Evernote/iOS forum to the General Discussion forum because it applies to all Evernote platforms/clients.

Share this post


Link to post

Some good news for most Mac Users -- you have a very low risk of being infected.

 

From Safe from Shellshock: How to protect your home computer from the Bash shell bug

 

 

 

How to keep your computer safe from the Shellshock bug

Oh no! Your system is still vulnerable to Shellshock! What should you do now?

 

Nothing drastic, if you’re an average computer user. If your computer is tucked safely behind a firewall—as it should be—the impact on you should be minimal, since attackers won’t have any way to execute malicious code through the Bash shell on your system unless they trick you into running the command locally somehow. Shellshock is more dangerous for web servers and devices that "listen" for Internet commands than home PCs.

Apple drove that point home in its response to the Shellshock bug, which was provided to iMore:

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities
… With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

 

Share this post


Link to post

Anyone know if other shells are at risk? I run ZSH but when I run the test code (env x='() { :;}; echo vulnerable' bash -c "echo this is a test") in ZSH it tells me it is vulnerable. I'm assuming that maybe ZSH just doesn't parse the commands the same and I am getting a false positive but I just wanted to see if anyone was sure.  One of the reasons I think it is a false positive is because my router runs DD-WRT and supposedly that runs BusyBox instead of Bash and even though the DD-WRT community says it is not vulnerable the same test tells me it is.

Share this post


Link to post

×
×
  • Create New...