Andrew Myers

Security, programming languages, and computer systems

Shellshock

1 Comment

This bug is every bit as bad as people are saying, so bad that I’ve taken the trouble to patch the computers I can get to. I have Macs running web servers, so they were wide open. It’s unbelievable that this behavior has been sitting in bash for so long without being fixed. Apache is nearly an open door to attack because every process that spawns a shell, including system() calls, is vulnerable. (Frankly, I’ve never really trusted bash and continue to pretend in my shell scripts that I am still using basic Bourne shell. It feels like I’m also the last person still using tcsh.) But you have to wonder how long we can keep the current tottering stack of poorly designed software abstractions going before it collapses.

Advertisements

Author: Andrew Myers

I am a professor of computer science at Cornell University. It is too hard to build trustworthy software systems using conventional systems APIs. I work on higher-level, language-based abstractions for programming that better address important cross-cutting concerns: security, extensibility, persistence, distribution.

One thought on “Shellshock

  1. I still use tcsh as my default interactive shell. But, when I write shell scripts (seldom) I use /bin/sh which may be linked to bash or dash or something.