New Security Flaws Render Shellshock Patch Ineffective

Author

Lauren Orsini

September 30, 2014

Your system is still vulnerable to the Shellshock bug, even if you’ve patched it. Security researchers have found new flaws in bash, rendering previous patches ineffective.

See also: How To Detect And Patch This Big, Bad Unix Bash Shellshock Bug

The bash shell is an omnipresent command-line interpreter used by default in Unix and Linux, and by extension, Apple’s OS X software. The shell itself is decades old, and it turns out the bug has been present for the last 22 years without detection.

Linux stewardship company Red Hat released a series of fixes to patch up the eight or so versions of bash that were vulnerable. On Friday, Red Hat released a second round of patches to resolve newly discovered security flaws, and those discoveries keep coming.

See also: The Bash Bug Makes Every Mac Vulnerable; Here’s How To Patch It

Google security researcher Michal “lcamtuf” Zalewski has been tweeting as he uncovers increasingly serious vulnerabilities in the bash shell. He recommends Red Hat security researcher Florian Weimer’s still-unofficial patch.

Shellshock exploits are spiking with the development of “wopbot,” the first botnet designed specifically to target the bash bug. 

At the moment, the only people who need to worry about patching the Shellshock bug right away are system administrators and people who have tweaked the advanced Unix settings on machines running OS X or Linux.

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” Apple said.

Photo via Shutterstock

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter