Tuesday, September 30, 2014

Shellshock: Making sense of the question, “Am I vulnerable?”

It seems like such a simple question, “Am I vulnerable to Shellshock,” but it’s surprisingly complicated. Lots of Internet forums suggest pasting some magic code into your command line. If the code outputs “Vulnerable” then you need to upgrade. Unfortunately, it’s not that easy.

There’s an ongoing dance among security researchers, OS venders, the Bash authors, and attackers. Here’s what we know today (read more at the Tozny blog).