Don't get too comfy just because companies are rolling out patches for the Shellshock security bug -- as it turns out, even updated websites and devices remain at risk. Developers are reporting that they can still run any code they like (and thus hijack systems) through the bash command shell simply by using instructions that aren't covered by existing safeguards. You can use a common variable like "cat" (concatenate) to bypass the defenses, for instance. The only surefire fix may be a fundamental change to how the shell handles variables, which could break legions of apps and services. You still don't have much reason to worry about your home Mac or Linux PC, but it's now considerably less likely that the sites and connected gadgets you use will will be truly immune to Shellshock-based attacks.
[Image credit: Robert Graham, Twitter]
Filed under: Internet, Software
Via: Ars Technica
Source: Seclists.org, GNU.org
from Engadget Full RSS Feed http://ift.tt/1BrFgB7
via http://ift.tt/1BrFgB7
Blogger Comment