Bash To Require Further Patching, As More Shellshock Holes Found

← Back to Stories (view on slashdot.org)

Bash To Require Further Patching, As More Shellshock Holes Found

Posted by samzenpus on Monday September 29, 2014 @12:06AM from the protect-ya-neck dept.

Bismillah writes Google security researcher Michael 'lcamtuf' Zalewski says he's discovered a new remote code execution vulnerability in the Bash parser (CVE-2014-6278) that is essentially equivalent to the original Shellshock bug, and trival to exploit. "The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said. "The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

3 of 329 comments (clear)

Min score:

Reason:

Sort:

Soon to be patched by Anonymous Coward · 2014-09-29 00:12 · Score: 0, Troll

At least on Linux. Sorry, Mactards!
1. Re:Soon to be patched by Kythe · 2014-09-29 01:10 · Score: 1, Troll
  
  Exactly. My goodness, Windows is legendary not only for having severe holes, but for Microsoft taking a long time to fix them.
  
  --
  
  Kythe
2. Re:Soon to be patched by Anonymous Coward · 2014-09-29 01:15 · Score: -1, Troll
  
  The reason Windows doesn't have problems like this is that people will lose their jobs if they screw things up this badly. This is a security hole that has been staring us in the face for literally decades. If you think it hasn't been exploited that you are completely naive.
  
  Also, the fixes were not 'pushed' out. If you thinking fixing a few lines in the source code and saying "we're all good now" is fixing the problem, you live on a different planet. Don't you understand there are literally millions of machines out there running this code out there that will never be patched? Do you not comprehend that there will be billions of IoT devices out there running old code that will be hackable because of this?
  
  It's a fucking huge problem and one we didn't need to have.
  
  I'm so sick of hearing about how open source is more secure because third parties can 'review the code' and look for security holes. More often than not, these 'third parties' are not going to fart rainbows and issue a patch for everyone - they'll use it to rob you blind.
  
  How many times do we need to be burned like this before we learn? Its like when you hire your neighbor to do your electrical wiring to save a few bucks, and then your whole fucking house burns down and insurance won't cover it because you didn't have the work done properly.