Comment Re:Briefing for management - reuse with attributio (Score 1) 318
there is no web server in a normal recent OSX installation.
I think you might be wrong. I'm looking at a Mavericks install in front of me. Only thing installed other than the base OS is ARD.
Delivering the binary on a default OSX installation doesn't make shellshock exploitable on OSX systems, it needs to be running, which it isn't on the vast majority of OSX systems. I've bolded the part of your own post where you admit that this isn't the case. Yeah, I had a brain fart and forgot to type "running" in "there is no web server", it doesn't change my point: No running web server on the vast majority of OSX devices means that shellshock isn't as severe for Macs as some have been saying.