While these brand new vulnerabilities have emerged, they appear to be less “exploitable” from directly tailored environment variables than the original BASH Shellshock exploit.  Still, there is a need for open source administrators to be vigilant and in a “patch now” mode as further developments warrant    


QUOTE: If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so it’s probably time to patch again, security experts warn.

Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, – 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 — CVE-2014-6271 and CVE-7169 — have been patched and updated in major distributions, according to Ullrich.

The latest bugs in Bash are not one and the same as Shellshock, however. “They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesn’t seem to apply,” says Ullrich, who is currently performing more testing on the latest findings.


QUOTE: I just published an updated YouTube presentation (about 15 min in length) with some of the shell shock related news from the last couple days:

YouTube: https://www.youtube.com/watch?v=b2HKgkH4LrQ
​PDF: https://isc.sans.edu/presentations/ShellShockV2.pdf
PPT: https://isc.sans.edu/presentations/ShellShockV2.pptx