Get used to reading about the bash “Shellshock” bug, because we won’t be rid of it for a while. The fix Apple released to patch it is incomplete, security researchers said.
See also: Apple Addresses Bash Bug With New Patch
Shellshock, a bug that allows hackers to control a system remotely by inserting commands directly into variables, is a lot bigger than we originally thought. Google security researcher Michal “lcamtuf” Zalewski has found six vulnerabilities associated with the bug.
Previously, Apple thought two Shellshock vulnerabilities were associated with the bash versions running by default on OS X Mavericks, Mountain Lion, Lion, and Lion Server—CVE-2014-7169 and CVE-2014-6271.
However, security researcher Greg Wiseman told CNet that he’s found a third. He ran a script on OS Mountain Lion and found that it’s vulnerable to CVE-2014-7186, a vulnerability that allows attackers to remotely create denial of service attacks.
Wiseman did not say he’d found the vulnerability on systems other than Mountain Lion, but if you want to be sure about your system, you can clone Hanno Böck’s bashcheck testing script from GitHub, the same one Wiseman used for his trials.
Apple has maintained that the “vast majority of users” are not susceptible to the bug, only those who have customized their advanced Unix settings. Unless that’s you, it might be preferable to sit tight. With a new patch coming out—and then being found lacking—so many days in a row, it’s clear there’s only so much we can fix on our own.
Photo by Adair733