Linked by Thom Holwerda on Fri 26th Sep 2014 05:00 UTC
Privacy, Security, Encryption

By now you may have heard about a new bug found in the Bash shell. And unless you're a programmer or security expert, you're probably wondering if you should really worry. The short answer is: Don't panic, but you should definitely learn more about it, because you may be in contact with vulnerable devices.

This bug, baptized "Shellshock" by Security Researchers, affects the Unix command shell "Bash," which happens to be one of the most common applications in those systems. That includes any machine running Mac OS X or Linux.

A very simple and straightforward explanation of this major new security issue. The OSNews servers were updated yesterday.

Permalink for comment 596981
To read all comments associated with this story, please click here.
RE[4]: Routers
by snorkel2 on Fri 26th Sep 2014 19:53 UTC in reply to "RE[3]: Routers"
snorkel2
Member since:
2007-03-06

It is that simple.
If you have a apache server and no CGI's that are written in bash, who does that anymore anyway? and you don't spawn a shell your pretty safe.

For example I have bash on my web server and I have several CGI's in python and I know for a fact they don't call popen or use a shell. I think I would be pretty safe even without a updated bash.

Also how would they set these environment vars? wouldn't they need access to the system to set them in the first place? Seems to me they would need to find a exploit to set the vars and if they where able to do that why would they need to use the bash bug?

Edited 2014-09-26 20:02 UTC

Reply Parent Score: 2