According security experts it ‘s very likely that the vulnerability has already been exploited, a system administrator using the @yinettesys Twitter account published a GitHub gist post reporting on a case in which threat actors exploited the Bash Bug flaw to launch kernel exploit on machine coordinating the attack with a C&C server hidden behind the Cloudflare content delivery network.

Another IT giant is menaced by the Bash Bug flaw, Oracle has also confirmed that over 32 of its products are affected by the “Shellshock” vulnerability. The company warned its users to wait a bit longer for the complete patch, by issuing a security alert regarding the Bash bug on Friday.

“Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability,” states the Oracle Security Alert for CVE-2014-7169.

“The fixes that are available for immediate application by customers are listed in the Patch Availability Table. This Security Alert will be updated when fixes are available for additional affected Oracle products without sending additional emails to customers. Customers should check this page for updates.

Due to the severity, public disclosure, and reports of active exploitation of CVE-2014-7169, Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.”

On the Internet is also available an unofficial patch that fixes the Bash Bug, in a message sent to the Open Source Software Security (oss–sec) mailing list, the maintainer of Bash, Chet Ramey addressed the vulnerability and issued the patch.

Pierluigi Paganini

(Security Affairs – BashBug, Oracle, Apple)