Today’s news about a bash bug has sparked the internet equivalent of lots of people yelling about something they don’t really understand. I will admit that I don’t fully understand the bug, but I stumbled across a good explanation of the bash bug here.
UC San Diego computer security has also reviewed the infection vectors. They say that Apache modules (mod_php, mod_perl, mod_python) don’t appear to be vulnerable. However, the article linked above does say that library calls created by php functions may be vulnerable. I don’t know enough to understand how the module can be OK, but the system call going through the module is not OK. The key appears to be sending a hyperlink that opens a terminal window that then acts on the original bug. Seems like a lot of work, but it’s a hole. An easier possibility would be to attack apache systems that use CGI directly.
The installation of patches is recommended. When Apple and OS X gets patched is unknown. Red Hat rolled out an incomplete patch earlier today. It’s been reviewed and a better patch is expected soon.