Bash and Shell Shock Today, The Good, But Mostly Just Bad
A few days ago I posted about a nasty vulnerability pertaining to GNU Bourne Again Shell, otherwise known as bash, The vulnerabilities still exist in unpatched systems and the scope of what could be affected is still expanding.
The good news is a few vendors have provided updates clarifying that they are not vulnerable but patched systems anyhow. Unfortunately, that's about where most of the good news stops, other than vendors and developers are looking at and working to close holes in many cases.
The bad news seems to keep coming, the vulnerabilities still exist in unpatched systems and the scope of what could be affected continues to expand. In addition, the first round of bash patches were NOT fully effective in remediating the vulnerabilities. In addition to this, hackers have begun to scan the entirity of the internet for vulnerable systems, this includes IP and website base scanning vectors. Botnets are coming to life and script based exploits for this vulnerability are coming out faster and more sophisticated.
The short and long of this is that as soon as you have access to the very latest patches for bash, those would be patches that came out over the weekend of September 27th, you should apply them immediately. With the active nature of this threat it seems this is only going to get worse before it gets better. Check with your vendors to find out if they're all the way up to date on this.