Here's some of the latest news on the Shellshock Bash bug:
The anatomy of a Shellshock attack in the wild - Troy Hunt - troyhunt.com
It’s probably a bit early to speculate about the true cost of Shellshock, but what I can do – and in a very objective fashion – is decompose a typical Bash bug attack. I can do this because I had one hit my logs just a couple of days ago.
Shellshock fixes beget another round of patches as attacks mount - Sean Gallagher - ars technica
At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash’s security (dubbed “Shellshock”) have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system.
Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 - Andrew Cunningham - ars technica
Shellshock, in essence, allows attackers to issue commands to systems via malformed environment variables. In the case of Web servers, it can allow attackers to gain full control of the system. Exploits of the bug have already been spotted in the wild, and end users and server administrators are all encouraged to patch their systems as soon as possible.
Still more vulnerabilities in bash? Shellshock becomes whack-a-mole - Sean Gallagher - ars technica
In other words, “Shellshock” may be partially patched, but it’s still highly dangerous on systems that might use bash to pass information to the operating system or to launch other software. And it may take a significant change to fix the code.
This post first appeared on Exploring Information Security.