I think the news is not that people who haven't updated bash are vulnerable. That much is obvious.
The news is that there's another major sector of programs handing off to bash in order to do the simplest of things (read the mutt post above). While that appears fine, it's something that not many are aware of, and means pulling in a huge codebase into the path of your external network functions that just increases the attack vector and makes it harder to effectively audit the code.
The problem, ironically, is systematic - not bash - in that we're relying on the shell to do far too much. The "one tool for the job" mentality of UNIX is falling apart where we've done this, and nobody noticed for quite a while. I wasn't aware that mutt or Apache were pulling in full bash shells to set environment variables, were you? It would have rung alarm bells for me if I'd known that, even on a casual, personal-use basis.
Where else are we pulling in unnecessarily powerful tools to do simple jobs that might be better achieved somehow else? Are those places vulnerable to outside attack? Have they been audited? Are people aware of the possibility? And, most importantly, someone somewhere must have known about these things - imagine the SELinux people, for example. They are generating signatures of exactly what a program needs to operate, including if it executes other programs, and either allowing or disallowing it. But yet nobody noticed that there might be a problem existing in bash for DECADES if it's used in this way.
I love Linux, but we seem to have strayed from the UNIX philosophies too far - we shouldn't be allowing software to pull in entire other programs to do simple tasks. Hell, why is there not just a "set" program that we can pull in when we need to set environment variables and that's ALL it can do? Why are we using full bash from our web servers which gives us the potential to embed (and successfully execute) a ping command, or any other, from a remote HTTP request?
The bash patch is just the sticking plaster over the wound. But we've been doing dangerous things for too long, and we need to look and change. It's not just a matter of "update bash", we're finding that this affects almost every remote service we offer and is a gaping security hole - and it's time we looked into what the security distros are doing in allowing it, and what we can do to make sure that the mutt author, for example, doesn't feel the need to pull in the full bash just to set an email address into an environment variable.
Biting the hand that feeds IT
