Well, yes, I stated the fact that anything running Bash is vulnerable; I never denied that. Where, dear sir, did I state that they were equally vulnerable? We're back to "you can't quote it because I never said it", despite what you claim.

Shellshock is a fixed issue on 'nix systems, for anyone keeping their system up to date. Well, except for OSX Yosemite beta testers, for whom an incomplete patch was released on 9-30; still vulnerable to one of seven known exploits. Windows systems that are vulnerable, no matter how few those might be (MinGW has over a half million weekly downloads, so I would still posit that the number is higher than you admit), remain vulnerable as MinGW hasn't seen an update in nearly a year and Cygwin in almost 5.

I'm not ragging on Windows here; like I said, it's a platform I make use of fairly consistently. I'm just saying, while Shellshock was a doozey of a bug, in the end it cost me maybe an hour of my life to patch well more than a handful of systems and it's done; were I running a POSIX layer on my Windows machines, however, that would not be the case; and, with over a half million weekly downloads of one of the most popular Windows POSIX layers, I'm thinking it's not safe to assume it's a non-issue for Windows servers.

Clearly, we're going to have to agree to disagree on this point, but the facts are as I've stated.

Regarding the CMD example, heres my source for that; fuck me for sharing it, right? Google "PowerShell command injection" and realize that every shell is vulnerable in one way or another; in fact, check out "PowerShell remote exploit" and realize that some of these flaws still exist in the wild.

Nothing's perfect, but I do have to stand by a system that gets patches out quickly; assuming your point about testing patches before deployment stands (and in most cases, it does; in this case, any application broken by the patch was broken to begin with), Bash users had a patch to test against within hours. Do you not test Microsoft's patches before you apply them? You know, weeks or months after the vulnerability is disclosed publicly.

You are correct, Cygwin hasn't seen an update since December 2009. However, I said MinGW, which has been updated a bit more recently. Please don't make assumptions about what I run and how I administer my systems based on my stated observations of the *rest* of the industry; you'll note that I said, and I quote:

Which probably means I use Windows where I need Windows and I use Linux where I need Linux; OSX is my desktop of choice at the moment, though that is subject to change, as it has changed a number of times over the past 20 years. That doesn't change the fact that I see a fair number of shared hosting providers (of which I am not one) running MinGW on Windows as a means to reduce the incidence of having to tell a customer who insists on using Windows they have to switch to Linux hosting to do what they want. I'm not saying this is the correct way that the user should be running their site, just that yes, less administratively-inclined users sometime make ridiculous demands that you, as a business owner, must bend over and cater to if you want their money. If you simply tell them "You have to move to Linux hosting if you want to do that", they'll tell you when you can deactivate their account after they find a host who'll make it work on Windows. That's how the shared hosting market currently works; there are a million providers and, no matter how ridiculous one's requirements, at least thousands of those millions will cater to those needs without a second though as long as the bill is getting paid.

My best friend got tired of it and sold his hosting company last year, after a very successful 13 year run. As a customer of his (who did not make such ridiculous demands; rather, I opted for Linux hosting, as that's what I needed) for several years, I volunteered my time in his support chat (a few hours a week, whenever I was bored, usually while BSing with him in the evenings) and fielded quite a number of these ridiculous requests (anything at that level of ridicule was beyond my power, as a volunteer, to handle and was forwarded to him) so I can tell you first hand, the idiots who want to do something like this are not only out there, they're plentiful.

I'll repeat the question (and correct a typo; thanks, autocorrect):

Of course, I'm repeating this in response to this bit of snark:

It was originally said in response to this bullshit:

In case you missed the question the first two times, here it is again:

And, in case you decide to say something along the lines of "Yes, you said both are equally vulnerable" I might ask that you quote me.

PROTIP: You won't be able to, because I never said it. If you want to win an argument with me, you have to attack what I'm actually saying; the minute you start attacking what you say I said, you've already lost. You're attacking your own words, not mine. Game. Set. Match.

I'm not seeing another post from you in this thread... What claim did you make? I think we're in agreement, though; by necessity, shells give you all kinds of ways to hang yourself, most of which are in o way obvious to an unseasoned user. That's just the price of the added power and control, and it comes with a responsibility to learn your tools and lear and afollow best practices when developing on or for an environment that makes use of a shell, whether you're using that shell directly or not. Best practices, like sanitizing your inputs, mitigate this on all platforms.

Am I attempting to divert negative PR, or am I simply stating facts? Did I say bithe are equally vulnerable, or are you making shit up in an attempt to discredit me?

I don't have a dog in this race, I use Windows, OSX, and Linux in roughly equal proportions. More people run POSIX layers on their Windows servers than you likely realize; in the hosting world, you give your users what they want, and users want to run that prewritten PHP script that relies on some UNIX userland element that Windows doesn't provide, and some subset want to run it on Windows. Hosts offering a Windows solution often install MSYS/MinGW by default to cut down on support calls for rhese scenarios, so the incidence of it being installed will naturally be higher than the incidence of it being necessary.

Also... give this a try on your Windows machine:
C:\Usersl>set foo=bar^&ping -n 1 google.com
C:\Usersl>echo %foo%

Seems as though you don't need Bash for Windows to be vulnerable, after all. C U Next (patch) Tuesday.

Hahahahahaha that's awesome! Now, does IIS pass headers along to CGI scripts the same way Apache does?

Holy shit if that's legit it's fucking amazing... booting my Win dev box now

From the FreeDSB Wikipedia page:

The network stack and VFS are kernel components. Other than that, though, you are correct, Darwin's kernel is XNU. But, wait a minute...

It seems that XNU is derived from BSD, alongside components from two other kernels.

Specifically, FreeBSD, after Apple took it over.

You would have had to build a patched Bash from scratch on that system to secure it, as Apple only released patches for 10.7-10.9. Even if you were running a more recent version of OSX, you'd still have had to build it yourself to patch it *in time*. I'm really disappointed in Apple's response to this.

I never said no competently written code was affected, just that examples are exceedingly rare. Moreso, Toreo asesino's example was an application breaking as a result of patching this vulnerability, which would seem to indicate that said application was exploiting the vulnerability in the first place; zero competently written applications do that.

Heh, looks like they did push an update for Yosemite on the 30th, too bad it's incomplete: Still vulnerable to exploit 7 on this page.

Yosemite beta not listed, update refusing to install. Like I said.

This is what was being reported before I entered into two weeks of product launches that have kept me from following up. I'd thank you for the correction but you're a bit late with it, another poster already corrected me, and with much less snark.

But that doesn't stop a sysadmin from changing that behavior, just as Unbuntu defaulting to Bash didn't stop me from swapping it our in favor of Dash. Just a matter of deleting the old binary and symlinking to the new one.

Oh, but it was! In fact, Darwin 7.0 (OSX 10.3) brought Darwin's BSD layer back in sync with FreeBSD 5. There was, indeed, a lot of reimplementation at the kernel level, and most of the userland tools had many parts rewritten as well, but your own source confirms what I have said. It confirmed it before I posted it originally, as well. In case that's not enough, here's another, and another, and, for good measure, one more, though that last one only mentions the use of BSD's userland components.

I meant Shellshock, which you probably could have guessed from context. My bad.

Thanks for the correction, I've been busy with product launches for the past 2 weeks so I haven't kept up.

Wow, did I really type "decode review". Shit. Well, you all know what I meant, anyway.