Why doesn't somebody update bash using the exploit?
So, why doesn't someone exploit bash to update bash. Might do the world a small favor. I was thinking that you could issue several commands to match a range of systems, and all it would take is one to work and then bash would be updated.
15 comments
[ 2.9 ms ] story [ 48.3 ms ] threadAnd this exact question was posted to Ask HN yesterday.
Edit: It looks like yesterday's discussion was flagged out of existence.
And why go to jail, literally, for trying to fix other people's mistakes? Few have that little to lose.
Plus companies would claim they spend $$$$ fixing the "damage" you did (e.g. reimage the machine, audits, management meetings about it). They'll claim they "spent" $50K or something stupid after your "illegal break-in" and try to sue you.
That said the more likely reason is that a lot of the time you couldn't - because the bash-you're exploiting wouldn't have root privileges and would thus be unable to fix the issue.
IIR, compiled software on Linux is non-deterministic, so you'd stand an amazingly high chance of damaging the targeted system as opposed to fixing it.
So, if you could pull that one off, you'd not only be a god, but you'd be a god that would probably spend the rest of your life defending yourself in court, where ethics and justice are not really the point.
Just let the process handle it. It's way simpler and far less likely to blow up.
Because each Bash version has different machine-language instructions. There's no realistic way to fix Bash other than by editing the plain-text source and generating binaries for each target processor type.
> ... and all it would take is one to work and then bash would be updated.
Maybe a refresher is indicated, as to the nature of modern computer binaries and how they're created.
I was assuming executing commands like "apt-get update bash", "yum update bash" etc to cover the majority of distros
And suppose a particular vulnerability test fails on a Bash version that is nonetheless vulnerable, and therefore fails to install a critical security update?