Part of the problem with "Shellshock" is that if you're either calling system or using bash scripts as CGI to begin with, you were doing it wrong. The DCHP thing is potentially a problem, but again, just don't connect to some network you don't know. Or just don't let dchp run shell scripts because that's fucking stupid. You're only vulnerable if you're using cpanel or some other multi-headed, bloated CMS like some kind of mongoloid.

@1 -- pretty much. The only real exploit I see for this would be the DHCP attack if someone is able to crack your wireless (or if you're connecting to public WiFi) and sends you a crafted request impersonating the DHCP server since it uses UDP. Though there's many other attacks you can do in that case either way.

@2 - Oh, dear, I fucked up spelling DHCP. Oops. But yeah, indeed. It's ludicrous that people are claiming this is wormable.The Apache Magika exploit by kingcope was, essentially, similar: cgis packed with Apache being exploitable under certain situations. It worked, but only on a fraction of the internet. Nobody said anything about that. I don't get where the hype for Shellshock is coming from.