Re: update

[Jim Gettys <jg () freedesktop org>]

On Wed, Sep 24, 2014 at 11:19 PM, Jimmy Hess <mysidia () gmail com> wrote:

> On Wed, Sep 24, 2014 at 10:03 PM, William Herrin <bill () herrin us> wrote:
> > > lrwxrwxrwx 1 root root 4 2014-02-22 11:52 /bin/sh -> bash
> >
> > ROFL. Jimmy, please tell me you had to start up a VM to check that. :)
>
> Not a live system,  but aside from honeypots,  there really are
> embedded appliances and  companies with websites still in production
> based on LAMP installations on Etch and  Lenny.

​Lots of small embedded Linux systems (e.g. your home router), are *not*
vulnerable to this particular problem. An quick glance at 6 reasonably
current home routers shows all are using the "ash" shell, rather than bash,
as it is much smaller and part of busybox, which most of these devices use.

That being said, there are many, many other serious vulnerabilities in that
class of device, compounded many times over by the fact that most lack any
sort of update stream, and usually require manual update, if ever new
firmware does become available.

Those of you unfamiliar with The Moon worm should familiarize yourself with
it.  Consider it a shot across our bow....

For those of you who want to understand more about the situation we're all
in, go look at my talk at the Berkman Center, and read the articles linked
from there by Bruce Schneier and Dan Geer.

http://cyber.law.harvard.edu/events/luncheon/2014/06/gettys

Jim Gettys