Bash vulnerability?

Security is a bit of a Dark Art for me as it deals with things too deep for comprehension. But I found this link:
GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278) | CISA and wondered if Linux users ought to be concerned. Or has the problem been addressed?

As long as you’re up to date (and running a current distro) you’re safe … it’s already been patched :slight_smile:

Thanks, Mark.
I wonder how long Microsoft wold have taken to fix a similar problem in Windows.

Keith

They may never fix it … here’s a recently reported shell vulnerability in Windows:
http://thesecurityfactory.be/command-injection-windows.html
where if someone authors a local script incorrectly it still works but could allow manipulation of system variables.

last section reads:-

Is Microsoft going to fix this issue?

Nope … they’re not.
We contacted Microsoft for this and they stated following:

http://thesecurityfactory.be/images/image007.png

So Microsofts response appears to be … “not our problem … you deal with it”

I’m all for users bearing some responsibility for what they do, but to be abandoned like that is shocking.

Microsoft being corporate and suable tend to have to sidestep responsibility … but I agree with you, the script author definitely has some responsibility, but if this wasn’t originally documented (and it wasn’t) so do Microsoft, and no matter how you look at it if it’s not intended behaviour and an open vulnerability it’s a bug.

… and so, dear reader, stick with Linux and your local, friendly Forum.