I have posted a new paper about Shellshock. In particular, it includes a detailed timeline about shellshock, which counters a number of myths and misunderstandings. It also shows a correct way to detect if your system is vulnerable to shellshock (many postings get it wrong and only detect part of the problem).
I also briefly discuss how to detect or prevent future shellshock-like attacks. At the moment this list is short, because these kinds of vulnerabilities are known to be difficult to detect ahead of time. Still, I think it is worth trying to do this. My goal is to eventually end up with something similar to the list of countermeasures for Heartbleed-like attacks that I developed earlier.
path: /security | Current Weblog | permanent link to this entry