Comment Re: Hilarious (Score 1) 94
...since Bash can run on *anything*, that makes it and "anything running Bash" issue, including your precious Windows...
Well, yes, I stated the fact that anything running Bash is vulnerable; I never denied that. Where, dear sir, did I state that they were equally vulnerable? We're back to "you can't quote it because I never said it", despite what you claim.
Shellshock is a fixed issue on 'nix systems, for anyone keeping their system up to date. Well, except for OSX Yosemite beta testers, for whom an incomplete patch was released on 9-30; still vulnerable to one of seven known exploits. Windows systems that are vulnerable, no matter how few those might be (MinGW has over a half million weekly downloads, so I would still posit that the number is higher than you admit), remain vulnerable as MinGW hasn't seen an update in nearly a year and Cygwin in almost 5.
I'm not ragging on Windows here; like I said, it's a platform I make use of fairly consistently. I'm just saying, while Shellshock was a doozey of a bug, in the end it cost me maybe an hour of my life to patch well more than a handful of systems and it's done; were I running a POSIX layer on my Windows machines, however, that would not be the case; and, with over a half million weekly downloads of one of the most popular Windows POSIX layers, I'm thinking it's not safe to assume it's a non-issue for Windows servers.
Clearly, we're going to have to agree to disagree on this point, but the facts are as I've stated.
Regarding the CMD example, heres my source for that; fuck me for sharing it, right? Google "PowerShell command injection" and realize that every shell is vulnerable in one way or another; in fact, check out "PowerShell remote exploit" and realize that some of these flaws still exist in the wild.
Nothing's perfect, but I do have to stand by a system that gets patches out quickly; assuming your point about testing patches before deployment stands (and in most cases, it does; in this case, any application broken by the patch was broken to begin with), Bash users had a patch to test against within hours. Do you not test Microsoft's patches before you apply them? You know, weeks or months after the vulnerability is disclosed publicly.