Unpatched Linux and OSX computers may be vulnerable to the new 'Shellshock' security hole that was released this week. This security flaw can be exploited by local users and under some conditions, remote attackers.
Apple has not yet released a patch, however their recent press release states that most systems are not remotely vulnerable unless certain services have been installed such as a web or ssh server. Users with local accounts may exploit the bug until a patch is released.
Like OSX, Linux is vulnerable to an attack by local users and vulnerable remotely only if certain services are installed. Patches have been released for most distributions and should be applied ASAP.
Execute the following command in a bash shell:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you get the following result then your version of bash can be exploited:
vulnerable
this is a test
CNET: https://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-bug-apple-says/REDHAT: https://www.redhat.com/en/blog/bash-specially-crafted-environment-variables-code-injection-attack
541-737-5574
