First of all this is a valid exploit and can be easily patched on GNU/Linux distributions by updating bash to the latest version. From
https://www.reddit.com/r/Bitcoin/comments/2heu88/if_you_are_storing_bitcoins_on_a_linuxmac_system/For example on Ubuntu 14.04 (GNU/Linux)
sudo apt-get update
sudo apt-get install --only-upgrade bash
The man page for bash on Ubuntu 14.04 (GNU/Linux) before the update on shows the following:
Bash is Copyright (C) 1989-2013 by the Free Software Foundation, Inc. This is fairly normal since it takes some time for packages to work their way into the final release of a GNU/Linux distribution.
Now when it comes to OSX this gets really interesting. From further down in the same reddit thread
The thread then goes to propose a fix by replacing the bash shell provided by Apple with a Homebrew solution and I would refer those interested in patching the OSX system to the reddit thread as a
possible solution.
What I find very interesting here is the copyright notice, both regarding the date and the copyright holder. This brings up the following question. Why on earth would Apple be using a 7 year old version of bash? The answer is not technical but
legal, and it relates to DRM. The critical change here is that the Free Software Foundation released the GPLv3 in 2007 and then began slowly porting packages to GPLv3. Here is one of many summaries on the subject.
http://oss-watch.ac.uk/resources/gplv3. Suffice to say that implementing GPLv3, unlike GPLv2, deep in an operating system, such as in the case of bash, makes the whole operating system highly toxic to DRM. For those of us who value our freedom and liberty this is of course a very valuable feature; however if one wishes to create a modern version of the telescreen in George Orwell's
1984 or some thing close to it, using DRM, the presence of GPLv3 code deep in the OS is a fatal bug.
Apple was presented with a choice. Introduce GPLv3 code into OSX and IOS, thereby making these operating systems toxic to DRM or put its users at risk by using 7 year old FSF code that was still licensed under GPLv2. Apple decided to place the greed of organizations such as the MPAA and its own greed, by supporting DRM, ahead the legitimate security needs of its users when choosing to use 7 year old FSF code.
The really disturbing question here is: What other vulnerabilities exist in OSX and IOS because of this reason? At least Microsoft writes it own code to implement DRM, rather than use 7 year old code whose copyright belongs to an organization led by no other than Richard Stallman,
https://en.wikipedia.org/wiki/Richard_Stallman! It may take an entrepreneurial class action litigation firm to heard enough of the iSheep into a class action lawsuit against Apple to actually secure OSX and IOS, by dealing with the underlying
legal cause of these vulnerabilities.
