Thanks. I'm reading http://en.wikipedia.org/wiki/Shellshock_(software_bug) and I sort of get it.
I guess the worry is that the effects are so unknown. IF there is a situation where a user can set an environment variable to some arbitrary value and IF that variable gets passed to a child process, the child process will end up executing the user's malicious command appended to the environment variable. What are all the situations where that might happen? I guess no one knows, and that is the problem. Note that there is also a variant out there now, as yet apparently unpatched, CVE-2014-7169. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Thursday, September 25, 2014 5:06 PM To: [email protected] Subject: Re: OT - Bash Vunerability On Thu, 25 Sep 2014 16:47:29 -0700, Charles Mills wrote: >While we're being OT here, can anyone explain this to me in practical terms? > >Sally has a basic everyday Mac running unpatched OS X. It is connected to the >Internet for Web browsing and e-mail, but she does not operate a Web server. >Let's for argument's sake assume no firewall. Is Sally vulnerable to this? > >I am guessing that if she is vulnerable it is because someone can >telnet to her machine, > Not unless she enables telnet in System Preferences. I don't even know if that's an option. ssh is. I rarely turn it on. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
