Back

Software Vulnerabilities – Poodle and Shellshock

30 October 2014

Siobhan Hancock

Lately it seems like the tech community has barely had chance to breathe from the announcement of Heartbleed, to Shellshock and now Poodle.

It is perhaps fair to say that all software above the simple has bugs and unfortunately Poodle will not be the last. There will always be another media grabbing vulnerability waiting to be released, but hopefully we’ll get Christmas out of the way first!

In the hosting community, security is top priority of 34SP.com and we have always and will always act quickly. 34SP.com took steps to promptly patch and protect all of our managed servers upon becoming aware of vulnerabilities, even in cases of our unmanaged servers. Our engineers act immediately to patch software vulnerabilities and work around the clock. If you are a customer of ours with a Dedicated Server or VPS and you have questions about the patches, we are more than happy to provide information on these.  Please email support@34sp.com or call our Support Team on 0161 9873434.

The important thing to remember is whilst the media catches on and hypes up these vulnerabilities, we are a proactive company and have already taken steps to protect our customers. Unfortunately nobody can predict when and what the next vulnerability will be – but it’s important to be vigilant. Always arm your endpoints. Make sure your Internet security is up to date, and the same applies to your antivirus and firewall.

Poodle

Poodle stands for Padding Oracle On Downgraded Legacy Encryption. That sounds scary but Poodle isn’t as much of a threat as Heartbleed was, though the media did instill fear into the community. Poodle is a vulnerability that affects SSL 3.0 protocol. It is NOT a fundamental flaw with SSL certificates. An SSL certificate is the little padlock you see on websites or the ‘HTTPS’, it’s an essential part of the encryption that protects communications between your computer and websites that you visit. An attacker could potentially exploit the Poodle vulnerability and use this to steal data or at worst hijack your web browsing session. In reality Poodle is more of a concern ‘server side’ than ‘user side’, and as said above 34SP.com have patched our servers against this.

If you are worried in general about this bug outside of 34SP.com and you frequently buy items online, there are steps you can take to safeguard yourself. For one make sure you are using the latest version of your browser. Older, legacy versions of browsers like Internet Explorer tend to be more vulnerable. You can also access your settings and disable SSL 3.0 in your browser. A quick google will tell you which browsers are currently working towards doing this automatically for you. Mozilla Firefox is releasing this feature in late November.

SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25″  – Mozillas Blog.

If you want to know more about Poodle – it was first uncovered by the Google Security Team, who released a paper on it: This Poodle bites: exploiting the SSL 3.0 fallback.

Shellshock

Many experts are saying Shellshock is much worse than the Heartbleed bug and they are most probably right. Shellshock also known as Bashdoor is a vulnerability in the BASH shell. It allows an attacker to access and control your electronics without your permission. Shellshock affects vulnerable servers connected to the Internet, plus web servers are a target too. Unfortunately this is more of a threat than Heartbleed or Poodle, simply because it can allow an attacker to run the same commands as a legitimate user.

Many of our customers got in touch shortly after Shellshock was made public to find out what we are doing to protect them and to seek advice. 34SP.com patched against these on our managed servers and our VPS’s too. Unfortunately I didn’t have time to write about it quickly enough before Poodle was released. However if you have a dedicated server and you are really late to the party there are patches online for Shellshock. Beware that there are many ‘panic’ patches, Icamtuf’s blog is a good blog to help you understand and patch against Shellshock.

Thank you for reading this post and I hope we have instilled confidence in you. We are happy to help in any way or form with these circumstances – as we understand it can be a stressful time. With Poodle being the third vulnerability found in 8 months lets hope we make it 12 months without a fourth 🙂

-Siobhan @34SPSiobhan @34SP