1

Microsoft Windows Zero-Day Vulnerability CVE-2014-4114

Yesterday a Zero-Day vulnerability was found in all Microsoft Windows operating systems versions which was discovered and announced by iSIGHT Partners in collaboration with Microsoft.

Now as Microsoft has already released patch for it it so everyone is suggested to patch all versions of Windows asap.

More details about the patch can be found at

https://technet.microsoft.com/library/security/ms14-060

0

Remote exploit vulnerability in bash CVE-2014-6271

A remotely exploitable vulnerability has been found in bash on Linux. The vulnerability has the CVE identifier CVE-2014-6271. This affects all Linux distributions and could pose a bigger threat to computer than the “Heartbleed” bug that discovered in April so you need to patch servers asap.

The exploit can potentially be used to execute arbitrary code on environment variables that are passed to child processes. This could include CGI scripts that are used to pass through environment variables from a web server to the child process and that is run by a bash script for vulnerable versions of bash.

Both Debian and RedHat have provided updated binaries and other operating system vendors are expected to follow this quickly.

More OS specific details can be found below.

Debian

Ubuntu

RedHat/Fedora

You can verify if your server is vulnerable to this exploit or not by executing following command.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it reports “vulnerable this is a test” then you need to apply the security update asap but if you see something like below then your good.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x
this is a test

[UPDATE]:

The initial round of patches to fix CVE-2014-6271 have proven ineffective at fully resolving the issue. A new CVE code has been issued “CVE-2014-7169“ and vendors have already provided new patch for it so everyone is required to apply the new update.