Posted by John Kleeman
You may have heard of the recent “ShellShock” vulnerability where a bug in a program called “GNU Bash” puts Internet systems containing the program at risk. This bug was revealed to the public on September 24th, and here is Questionmark’s response to the bug.
Our internal Computer Emergency Response Team (CERT) immediately reviewed our servers and systems to identify any potential vulnerabilities. Fortunately, most Questionmark systems use Microsoft technology and do not contain the “GNU Bash” program, and Questionmark software is not impacted by this vulnerability.
Here is some additional information for our customers:
Questionmark’s cloud-based products and services:
- Our collaborative authoring system, Questionmark Live was not vulnerable to the bug.
Questionmark’s US OnDemand Service
- Questionmark’s US OnDemand Service was not vulnerable to the bug.
Questionmark’s European OnDemand Service
- Questionmark’s European OnDemand Service was not vulnerable to the bug. One related system uses Linux; this was reviewed and there was no way to exploit the vulnerability, but it has been patched in any case.
If you use Linux or OS X on client computers accessing Questionmark’s cloud-based services, there is no vulnerability directly due to use of Questionmark OnDemand, but you should check with your IT department on whether it would be wise to patch or update these client computers.
Questionmark products for on-premise deployment
- Our behind the firewall product, Questionmark Perception does not require or use GNU Bash and runs on Microsoft Windows which does not usually deploy GNU Bash. This vulnerability will not impact most customer servers for Questionmark Perception. For the small number of customers who use Linux or OS X within your Questionmark Perception environment (for example to run the Perception database or for participants to take assessments), you should work with your IT department to patch the systems. All customers should also check other non-Questionmark systems in your landscape.
If any Questionmark user or customer has questions, please raise them with your Questionmark account manager or with technical support. I hope that this rapid response and transparency highlights our commitment to security.This also illustrates the value of an OnDemand service. Rather than having to rely on internal IT to catch up and patch vulnerable systems, you can delegate this to Questionmark as your service provider.
Watch this video for more about Questionmark’s commitment to security.