Update November 14, 2014: A new possible vector of attack involving DNS responses has been disclosed (CVE-2014-3671).  At this time it is unclear which (if any) native applications could be affected by this.  To use this mechanism of attack, an attacker would either need to cause the user to connect to a specific DNS name, or be able to intercept and modify DNS responses.  Systems that have the previously mentioned patches applied will not be vulnerable to this new attack vector.  It is recommended that all users apply the patches for the Shellshock vulnerability to ensure that they are not affected by this, or any future attack vectors
Update: Apple has released patches for Bash in OS X.  Testing confirms that this patch resolves CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187.  
—————————————
Since it was announced yesterday, there has been a huge amount of attention given to the “Shellshock” (CVE-2014-6271) vulnerability.  This vulnerability affects the Bash shell application, which is used on a wide variety of unix-style operating systems.  Given the widespread adoption of these operating systems by device and computer manufacturers, there has been a lot of speculation as to what exactly is vulnerable, and what is not.
In order for this bug to be successfully exploited, two conditions must be met:
1.  A vulnerable version of Bash must be present.
Versions up to and including 4.3 are vulnerable.  An initial patch was released to address CVE-2014-6271 however it does not fully resolve the problem.  The newly discovered issues have been assigned to CVE-2014-7169, and a patch for them is still pending.
2.  The system must pass external input as an environment variable to a Bash script.
The attack surface of this vulnerability is severely limited by this second requirement.  Typically only authenticated users will have access to the Bash shell interpreter (after all, its used to provide shell access to a system!).  It is primarily how other applications interact with bash that will leave a system open to attack or not.
Unlike Windows, since OS X is based on FreeBSD, it has Bash preinstalled.  As shown below, we have confirmed that the latest version of OS X (10.9.5) is vulnerable to this issue:
Unlike Linux or OSX based targets, there are very few services commonly running on iOS devices that might be open for remote attack.  The primary one is DHCP, with almost everything else being restricted or not even present.
DHCP
As with OS X, an attack vector to actually make use of this vulnerability is still required.  Once again we ran the malicious DHCP server to see if this device would be vulnerable.  Similar to before, the test command was not executed, and no files were written.
It would have actually been a little bit surprising if this attack did work, as iOS devices don’t usually have a copy of Bash installed.  This means that the DHCP client that ships with iOS devices would never try to interact with Bash as it would not be the installed shell interpreter.  It is possible that jailbreaking could change the default shell interpreter, but the test confirmed that iOS devices are still not vulnerable.
There appears to be a lot of confusion as to what other devices and systems are vulnerable.  While a huge variety of devices are going to be affected, there are some that definitely are not.
Android based devices
While Android is based on Linux, it does not actually make use of the Bash shell interpreter.  Instead it uses Mksh (or Ash on very old versions), which is more limited in functionality, and importantly, not vulnerable to Shellshock.  So Android users, whether rooted or not do not need to be concerned about this vulnerability.
Internet of Things
The majority of consumer embedded devices run some version of embedded Linux.  This includes everything from your wireless router, to your thermostat, to your light bulbs (possibly!).  While these devices are often full of vulnerabilities, they are most likely not vulnerable to the Shellshock attack despite what the news is currently reporting.  This is once again due to the fact that these devices do not come with Bash, but rather a much smaller shell interpreter known as BusyBox.  Without a copy of Bash installed, this vulnerability simply does not exist.
It is worth noting that some embedded devices will run a full version of Bash and as such be vulnerable to this attack.  Shellshock will indeed be a serious concern for those devices, even if they are less common.
 
While many devices and systems will be vulnerable to Shellshock, there are a limited number of ways to remotely exploit this vulnerability.  Our research has showed that iOS and Android devices, as well as many embedded devices are completely unaffected by Shellshock.  Systems running OS X are not likely to be vulnerable to a remote attack, but a local privilege escalation attack may be possible.  As always, both users and server administrators should still apply any available security patches for this issue once they become available.
altenen free credit card stardumps24