Shellshock is now remote security risk

A Google security engineer has found that Shellshock can be remotely exploited, exposing the Linux, Unix and Mac bug to threats outside the organisation.

Michal Zalewski, also known as Icamtuf, warned that two more Bash command line bugs had emerged in the last few days, one of which was "trivially" easy to exploit.

"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski told iTnews.

"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug."

So far technical details are being withheld from the general public in order to give vendors time to patch, although Zalewski’s colleague Florian Weimar has issued an unofficial update.

In a blog post the engineer criticised patches released in the wake of the Shellshock disclosure, which he said did not prevent Bash parsing potential attack variables controlled by a hacker.

"At this point, I very strongly recommend manually deploying Florian’s patch unless your distro is already shipping it," he added.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing