Shellshock a Fail for Security Disclosure

  • 23 October 2014
  • 0 replies
  • 211 views

Userlevel 7
By Sean Michael Kerner  |  Posted October 23, 2014
 
Shellshock and the Xen vulnerability. One of these things is not like the other, and an expert says they can teach us a lot about how to disclose security vulnerabilities.
 
 
TORONTO: At the annual SecTor Toronto security conference, one of the key highlights for the last several years has been the Fail Panel, which examines the areas where the security industry did not succeed and where lessons of the past have still not been learned.
This year was no exception. At the 2014 edition of the Fail Panel, the major topic of discussion was the big brand-name vulnerabilities like Heartbleed, Shellshock and POODLE and how they are properly -- or in some cases improperly -- disclosed.
Securosis CEO and analyst Rich Mogull took particular aim at the Shellshock vulnerability and how it was disclosed. Shellshock is technically a vulnerability in the BASH (Bourne Again Shell) that could have enabled an attacker to inject and execute arbitrary commands on a vulnerable server.
 
 
Full Article

0 replies

Be the first to reply!

Reply