Today's big story is the newly discovered Bash vulnerability, variously called "Bourne Again" or "Shellshock." It affects Unix and related operating systems (including of course Linux and OS X). The vulnerability allows attackers on a network to set environmental codes (via web requests, secure shell, telnet sessions, etc.) that enable them to run scripts on vulnerable systems. Since Bash can be called in different ways by different applications, exploitation may be difficult to detect and mitigate. Some patches, detection tools, firewall upgrades, and workarounds are hastily issued (and are urgently commended to the attention of admins) but Shellshock is a widespread vulnerability susceptible to diverse forms of exploitation, and it will be some time before the community sorts it out. "Bigger than Heartbleed?" Maybe, maybe not, but in any case something to take seriously. Credit researcher Stéphane Chazelas with the discovery.
A botnet DDoS toolkit, "Spike," is infesting the Internet-of-things (and that other Internet of users). It's been most active, so far, in Asia. Mitigations are available.
Japan Airlines (JAL) and Jimmy John's (a US sandwich chain) have suffered data breaches. A JAL database was compromised; Jimmy John's sustained a point-of-sale attack.
Mozilla patches a crypto flaw (called "phishing friendly") in its NSS library. Apple pulls its just-released iOS 8.01 after widespread reports that the update caused dropped phone service and disabled TouchID. Cupertino is working on iOS 8.02, but in the interim recommends reverting to iOS 8.
US regulatory agencies continue to push cyber resiliency and corporate board responsibility.