Because time and again, Lennart and the systemd team have demonstrated that bug fixes in their software are not a priority, compatibility with applications is not a priority, and by re-writing something that works you inevitably introduce new bugs.
Or you could use what we've been using for the past 20-30 years that has been debugged, proven to work and not completely different to the rest of the world.
You forgot: mod_cgi needs to be manually turned on in the web server also. If you're running php instead, you are not vulnerable (which makes a change).
I like how slashdot are making out that this is more of an apple problem when perhaps 0.0001% of apple users are even running a web server and most of those are using php and not mod_cgi, the dhcp client is not vulnerable, etc.
Yet Linux with dhcp client vulnerable and a whole slew of other system utilities potential vulnerable due to using bash everywhere to glue tools together is given a pass.
bash still isn't fixed properly yet, and until it is, any linux box with a dynamic IP address sis potentially at risk.
Apple are likely more concerned with breaking apps that may depend on certain behaviour and actually QA testing their shit before putting it out to 100 million users or so and dealing with the fall out from "it just works" breaking. Linux is an entirely different kettle of fish, where breaking people's shit because you don't like company X or you have an ideology conflict is "acceptable".
ON the contrary.... insufficient QA = potentially a hundred million functionally broken machines, vs. perhaps 5 nerds with compromised mac web servers exposed to the internet from not pushing it out.
News flash: as the proportion of electronics volume to phone volume go up, the chassis goes down. Eventually, we reach a point where we need to decide how much force is necessary for a phone to withstand. Time will tell whether this force is enough. If the 9 reports of bent phones are to be believed, out of 10 million plus sales (first weekend) that is not so bad.
Unless you wrote your own compiler from machine code, you are still trusting the people who wrote your compiler. You are also trusting the people who wrote the microcode in your CPU. You are trusting third parties irrespective of whether or not you are running open source, and as demonstrated by the leaked NSA docs, there are bugs available for your hard drive firmware that you will never find.
IN short: you're boned and trusting third parties irrespective of how open your OS is - unless all of your hardware is open, all of the firmware for your hardware is open, and you have personally audited all of it.
Correct. For this to be exploited, bash needs to be spawned by an internet facing service and pass environmental variables into a bash shell. Nothing on OS X does this by default. OS X does not run the open source dhcpd, and is thus not exploitable via dhcpd, and does not run apache unless manually enabled, and manually configured to run mod_cgi. Remote ssh is also not enabled on the mac by default.
Far more vulnerable is Linux which runs dhcpd on any machine with a non-static IP, through which bash is exploitable.
But hey, let's make out that OS X is worse off than Linux in this case.
I suspect the only reason apple currently uses bash as the default shell (it used to be plain sh from memory or csh) is that it makes it friendly to Linux users.
So you are just writing off their contributions to webkit, CUPS, zeroconf, gcd, llvm, etc. Things that other operating systems and applications can and do benefit from?
Well.... not really. All i've had to do is ensure I am not running apache or open ssh on my macs. I'm not. Meanwhile anyone running Linux with dhcpd is vulnerable until they fix bash. On my FreeBSD servers I just uninstalled bash. Job done. This bug was fixed in sh about 30 years ago apparently according to twitter.
Linux also uses bash in place of sh in most distributions. Linux also uses a dhcp daemon which is vulnerable to being used to exploit this bash bug. OS X does not.
The only people who are going to get butt-hurt over this are a tiny fraction of Linux users who represent a tiny fraction of a tiny fraction of the GPU market.
Slashdot Mirror
Because time and again, Lennart and the systemd team have demonstrated that bug fixes in their software are not a priority, compatibility with applications is not a priority, and by re-writing something that works you inevitably introduce new bugs.
Or you could use what we've been using for the past 20-30 years that has been debugged, proven to work and not completely different to the rest of the world.
You forgot: mod_cgi needs to be manually turned on in the web server also. If you're running php instead, you are not vulnerable (which makes a change).
I like how slashdot are making out that this is more of an apple problem when perhaps 0.0001% of apple users are even running a web server and most of those are using php and not mod_cgi, the dhcp client is not vulnerable, etc.
Yet Linux with dhcp client vulnerable and a whole slew of other system utilities potential vulnerable due to using bash everywhere to glue tools together is given a pass.
bash still isn't fixed properly yet, and until it is, any linux box with a dynamic IP address sis potentially at risk.
No, the OS X dhcp client is not hacked together with shell scripts.
You men the mac servers that don't run mod_cgi?
Apple are likely more concerned with breaking apps that may depend on certain behaviour and actually QA testing their shit before putting it out to 100 million users or so and dealing with the fall out from "it just works" breaking. Linux is an entirely different kettle of fish, where breaking people's shit because you don't like company X or you have an ideology conflict is "acceptable".
I will be amazed if you can find a single compromised OS X box.
The majority of which do not apply to OS X and only linux, because OS X isn't held together with shell scripts and duct tape.
ON the contrary.... insufficient QA = potentially a hundred million functionally broken machines, vs. perhaps 5 nerds with compromised mac web servers exposed to the internet from not pushing it out.
Sitting on your phone is not. I'm sure many of the electronics I have, like my PSP for example, will break if i sit on them.
News flash: as the proportion of electronics volume to phone volume go up, the chassis goes down. Eventually, we reach a point where we need to decide how much force is necessary for a phone to withstand. Time will tell whether this force is enough. If the 9 reports of bent phones are to be believed, out of 10 million plus sales (first weekend) that is not so bad.
even if they are under-reporting by 99%, you're still talking ~1000 or so people. Which out of 10 million in the first weekend of sales is not bad.
Sure. In theory. If we're going to talk reality, i have far less problems with OS X than i do with Linux in the first place.
Unless you wrote your own compiler from machine code, you are still trusting the people who wrote your compiler. You are also trusting the people who wrote the microcode in your CPU. You are trusting third parties irrespective of whether or not you are running open source, and as demonstrated by the leaked NSA docs, there are bugs available for your hard drive firmware that you will never find.
IN short: you're boned and trusting third parties irrespective of how open your OS is - unless all of your hardware is open, all of the firmware for your hardware is open, and you have personally audited all of it.
Correct. For this to be exploited, bash needs to be spawned by an internet facing service and pass environmental variables into a bash shell. Nothing on OS X does this by default. OS X does not run the open source dhcpd, and is thus not exploitable via dhcpd, and does not run apache unless manually enabled, and manually configured to run mod_cgi. Remote ssh is also not enabled on the mac by default.
Far more vulnerable is Linux which runs dhcpd on any machine with a non-static IP, through which bash is exploitable.
But hey, let's make out that OS X is worse off than Linux in this case.
bash is not part of FreeBSD.
I suspect the only reason apple currently uses bash as the default shell (it used to be plain sh from memory or csh) is that it makes it friendly to Linux users.
The amount of GPL code in OS X userland is exceedingly minimal. Most of it is from FreeBSD.
So you are just writing off their contributions to webkit, CUPS, zeroconf, gcd, llvm, etc. Things that other operating systems and applications can and do benefit from?
Apple deprecated Java entirely and suggested that you obtain it from Oracle, but thanks for playing.
Well.... not really. All i've had to do is ensure I am not running apache or open ssh on my macs. I'm not. Meanwhile anyone running Linux with dhcpd is vulnerable until they fix bash. On my FreeBSD servers I just uninstalled bash. Job done. This bug was fixed in sh about 30 years ago apparently according to twitter.
Linux also uses bash in place of sh in most distributions. Linux also uses a dhcp daemon which is vulnerable to being used to exploit this bash bug. OS X does not.
The only people who are going to get butt-hurt over this are a tiny fraction of Linux users who represent a tiny fraction of a tiny fraction of the GPU market.
You know WHY people implement code signing, right?