You forgot: mod_cgi needs to be manually turned on in the web server also. If you're running php instead, you are not vulnerable (which makes a change).

I like how slashdot are making out that this is more of an apple problem when perhaps 0.0001% of apple users are even running a web server and most of those are using php and not mod_cgi, the dhcp client is not vulnerable, etc.

Yet Linux with dhcp client vulnerable and a whole slew of other system utilities potential vulnerable due to using bash everywhere to glue tools together is given a pass.

bash still isn't fixed properly yet, and until it is, any linux box with a dynamic IP address sis potentially at risk.

No, the OS X dhcp client is not hacked together with shell scripts.

You men the mac servers that don't run mod_cgi?

Apple are likely more concerned with breaking apps that may depend on certain behaviour and actually QA testing their shit before putting it out to 100 million users or so and dealing with the fall out from "it just works" breaking. Linux is an entirely different kettle of fish, where breaking people's shit because you don't like company X or you have an ideology conflict is "acceptable".

I will be amazed if you can find a single compromised OS X box.

The majority of which do not apply to OS X and only linux, because OS X isn't held together with shell scripts and duct tape.

ON the contrary.... insufficient QA = potentially a hundred million functionally broken machines, vs. perhaps 5 nerds with compromised mac web servers exposed to the internet from not pushing it out.

Sitting on your phone is not. I'm sure many of the electronics I have, like my PSP for example, will break if i sit on them.

News flash: as the proportion of electronics volume to phone volume go up, the chassis goes down. Eventually, we reach a point where we need to decide how much force is necessary for a phone to withstand. Time will tell whether this force is enough. If the 9 reports of bent phones are to be believed, out of 10 million plus sales (first weekend) that is not so bad.

even if they are under-reporting by 99%, you're still talking ~1000 or so people. Which out of 10 million in the first weekend of sales is not bad.

Sure. In theory. If we're going to talk reality, i have far less problems with OS X than i do with Linux in the first place.

Unless you wrote your own compiler from machine code, you are still trusting the people who wrote your compiler. You are also trusting the people who wrote the microcode in your CPU. You are trusting third parties irrespective of whether or not you are running open source, and as demonstrated by the leaked NSA docs, there are bugs available for your hard drive firmware that you will never find.

IN short: you're boned and trusting third parties irrespective of how open your OS is - unless all of your hardware is open, all of the firmware for your hardware is open, and you have personally audited all of it.

Correct. For this to be exploited, bash needs to be spawned by an internet facing service and pass environmental variables into a bash shell. Nothing on OS X does this by default. OS X does not run the open source dhcpd, and is thus not exploitable via dhcpd, and does not run apache unless manually enabled, and manually configured to run mod_cgi. Remote ssh is also not enabled on the mac by default.

Far more vulnerable is Linux which runs dhcpd on any machine with a non-static IP, through which bash is exploitable.

But hey, let's make out that OS X is worse off than Linux in this case.

bash is not part of FreeBSD.