Shellshock

I think you're better of in this topic: CVE-2014-6271 bash vulnerability

The truth is: yes you are technically vulnerable. But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.

So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.

DHCP appears to be a potential vector as well:

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

To patch manually the bash shell follow this tutorial: http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash -exploit-heres-patch-os-x-0157606/; Apple doesn't seem to release an update soon, Linux users and servers already they got patched. If you don't want to patch your bash I strongly advice you not to use it. Remember that this is a really huge exploit of the system and some have already reported that hackers are using the security flow to enter in some systems.

No, it's not true users can still invoke the bash shell on yor system remotely and they do not need admin rights to do that, that is why is dangerous; hackers have been already reported to hack systems. Linux however have already realesed a security patch which can partially stop the attack and reports says that another patch will be release tomorrow which can definetely stop the exploit. On the other hand Apple did not release anything yet but some websites are showing a way around to update your bash to the latest version. if you know what ur doing give it a go .. i was vulnarable now I'm not in both my Mac and Lnx system :-)

fmiranda wrote:

The truth is: yes you are technically vulnerable. But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.

So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.

True, potentially not as vulnerable as web servers. But this exploit could used for privilege escalation like with a malicious app or drive-by download in combination with other unpatched exploits.

Stuff behind your router may be hard to reach, in that it takes an extra hop, but since your broadband router is almost assuredly vulnerable, and runs a web server as a method of interacting with you on your LAN, your router is a nice entry point.

Many nix-based routers use BusyBox for the shell, which is not vulnerable. It appears some routers by Ubiquiti use bash but they are not commonplace in the home end user market.

Linksys (/ Cisco) uses a flavor with bash in many of their premium routers from the past several years. There are even tutorials online about sending bash commands to them to automate things like nightly restarts, etc.