New “Shellshock” patch rushed out to resolve gaps in first fix [Updated]

Update, 9/26 11:00 PM ET: The most recent patches issued for the "Shellshock" bug have apparently still left avenues of attack, based on the analysis of several open source developers. See the latest report for further information.

After the discovery that a patch designed to repair the “Shellshock” vulnerability in the GNU Bourne Again Shell (bash) still allowed for an attacker to execute commands on a remote system, Red Hat, Ubuntu, and other Linux distribution providers have pushed out a second fix to the vulnerability. At the same time, security researchers and service providers have detected a surge in scans for systems with the vulnerability, as would-be attackers seek to take advantage of the bug.

“Shellshock” has been compared to the Heartbleed bug discovered in the OpenSSL cryptography library in April because of its potential severity and its widespread nature. Like Heartbleed, the Shellshock vulnerabilities were introduced by errors in coding years ago—errors made by an unpaid volunteer writing code that would end up in millions of computer systems.

Read 3 remaining paragraphs | Comments