Your system is still vulnerable to the Shellshock bug, even if you’ve patched it. Security researchers have found new flaws in bash, rendering previous patches ineffective.
The bash shell is an omnipresent command-line interpreter used by default in Unix and Linux, and by extension, Apple’s OS X software. The shell itself is decades old, and it turns out the bug has been present for the last 22 years without detection.
Linux stewardship company Red Hat released a series of fixes to patch up the eight or so versions of bash that were vulnerable. On Friday, Red Hat released a second round of patches to resolve newly discovered security flaws, and those discoveries keep coming.
Google security researcher Michal “lcamtuf” Zalewski has been tweeting as he uncovers increasingly serious vulnerabilities in the bash shell. He recommends Red Hat security researcher Florian Weimer’s still-unofficial patch.
Found 6th and most serious issue in bash, equiv to the original RCE. If you're using just the first patch, you'll be in trouble soon.
— lcamtuf (@lcamtuf) September 28, 2014
Shellshock exploits are spiking with the development of “wopbot,” the first botnet designed specifically to target the bash bug.
At the moment, the only people who need to worry about patching the Shellshock bug right away are system administrators and people who have tweaked the advanced Unix settings on machines running OS X or Linux.
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” Apple said.
Photo via Shutterstock