> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Yves Dorfsman > > What do you guys do for your OS X non-techincal users? > > Give them instructions on how to update bash manually? > Give them instructions on how to close port 22 and 80 when using public wifi? > > Anybody has any idea when Apple might release a proper patch?
My opinion: The only way to exploit the bug is to *first* run some malicious code that would tweak your environment such that the bug is then being exploited. In other words, this bug doesn't expose users to risk of simply browsing a malicious website accidentally and compromising your system; this bug is a trojan backdoor that needs to first execute some malicious code on your system in order to expose the backdoor. Yes it's a bug to be taken seriously, no I don't recommend building your own patched bash. For three reasons: #1 Suppose you patch bash, and then apple releases an update. What will be the behavior of their updater when it sees your nonstandard binary? I have seen times when the updater would clobber a nonstandard file, and I've seen times when the updater refuses to operate because there's a nonstandard file sitting there. I simply cannot say how apple's updater would behave in this specific scenario. #2 Even if you patch it, I don't think they've released fully patched source code yet for bash. They have instructions to build an updated bash, but it's still subject to another variant of the same bug. I am reasonably certain that as soon as *fully* patched bash source code is available, apple will build it and distribute it. #3 In order to exploit this bug, the attacker must execute some malicious code on your system *first*, or modify core system files on your system *first*. If they can do that, they could exploit this bash backdoor, or any one of numerous other possible backdoors. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
