[zaroth]

Shellshock is a perfect name coming after Heartbleed. But this bug is suffering from lack of marketing, lagging in the news behind the iOS update being pulled.

It's sad to see an RCE somewhere so widespread and so interwoven with other software. It's also costly because now I'm questioning server integrity, thinking about what should really be re-imaged. I assume there are many more like this in the CVE pipeline...

At some point I just have to live with the fact that outside access is possible to anyone so motivated.

[piratebroadcast]

Shellshock Bug Logo - http://imgur.com/vlriele

[prawn]

Front page of the site of one of the major Australian newspapers: "Largest bug ever hits the internet"

I think it will start to make its way out to the public with a bit more time.

[zaroth]

I'm sure they've picked up now that the patch was bad. Should be an interesting day.

Wow the comments there are...

[timv]

If your conclusion that the patch was bad is based on the fact that CVE-2014-7169 still exists, I think that's an unfair assessment.

The patch appears to have been a adequate fix to the bug that was discovered. The fact there is a second bug with a similar but not-identical attack vector, is a reflection on the robustness/correctness of the original code more than it is a reflection on the quality of the patch.

[bodyfour]

... and also a reflection of how much security attention this one obscure feature has been receiving in the last 24 hours.

This is very similar to the pattern we saw with heartbleed: a terrible bug with a lot of publicity followed by a series of other vulnerabilities found of various severity as suddenly it was "all eyes on OpenSSL": http://www.openssl.org/news/secadv_20140806.txt

I wouldn't be surprised if we're going to see a repeat of that here.