Shellshock is a newly-discovered vulnerability in Bash (the Bourne Again Shell), one of the most commonly used shells on Linux, UNIX and OS X.
Although it can be exploited in some cases, the good news is that not all implementations can be exploited, and only certain services and applications allow a hacker to exploit this issue.
In addition, we have examined our products and we are confident that the Shellshock vulnerability can’t be exploited in any Sophos product.
As far as we’re aware, we don’t have any servers or services that could have been exploited due to his bug. This includes our internal business systems, Sophos web servers, update servers, partner portal and support forums.
For the latest information on how this bug affects Sophos products, please refer to our knowledgebase article from Sophos Support.