This bug is every bit as bad as people are saying, so bad that I’ve taken the trouble to patch the computers I can get to. I have Macs running web servers, so they were wide open. It’s unbelievable that this behavior has been sitting in bash for so long without being fixed. Apache is nearly an open door to attack because every process that spawns a shell, including system() calls, is vulnerable. (Frankly, I’ve never really trusted bash and continue to pretend in my shell scripts that I am still using basic Bourne shell. It feels like I’m also the last person still using tcsh.) But you have to wonder how long we can keep the current tottering stack of poorly designed software abstractions going before it collapses.
Published by Andrew Myers
I am a professor of computer science at Cornell University. It is too hard to build trustworthy software systems using conventional systems APIs. I work on higher-level, language-based abstractions for programming that better address important cross-cutting concerns: security, extensibility, persistence, distribution. View all posts by Andrew Myers