
Why doesn't somebody update bash using the exploit? - Prefinem
So, why doesn&#x27;t someone exploit bash to update bash.  Might do the world a small favor.  I was thinking that you could issue several commands to match a range of systems, and all it would take is one to work and then bash would be updated.
======
lutusp
> So, why doesn't someone exploit bash to update bash.

Because each Bash version has different machine-language instructions. There's
no realistic way to fix Bash other than by editing the plain-text source and
generating binaries for each target processor type.

> ... and all it would take is one to work and then bash would be updated.

Maybe a refresher is indicated, as to the nature of modern computer binaries
and how they're created.

~~~
Prefinem
> Maybe a refresher is indicated, as to the nature of modern computer binaries
> and how they're created.

I was assuming executing commands like "apt-get update bash", "yum update
bash" etc to cover the majority of distros

~~~
lutusp
But it's both simpler and more effective to issue those commands directly --
they would either perform the update or benignly say that the current Bash
version is up to date.

And suppose a particular vulnerability test fails on a Bash version that is
nonetheless vulnerable, and therefore fails to install a critical security
update?

~~~
Prefinem
Then it is still up to the server owner...

~~~
lutusp
In both cases we're talking about someone who has root authority, so the
distinction between user and owner is moot.

------
stevekemp
As the other commentators mention this would almost certainly be illegal, and
would fall under computer-misuse laws.

That said the more likely reason is that a lot of the time you couldn't -
because the bash-you're exploiting wouldn't have root privileges and would
thus be unable to fix the issue.

~~~
Prefinem
Ah... Thanks for the explanation... I haven't done a lot of research on it
yet, just worked on updating bash to fix it.

------
drivingmenuts
Not only would that be illegal, it would be nearly impossible, since you'd
have to patch bash at the binary level.

IIR, compiled software on Linux is non-deterministic, so you'd stand an
amazingly high chance of damaging the targeted system as opposed to fixing it.

So, if you could pull that one off, you'd not only be a god, but you'd be a
god that would probably spend the rest of your life defending yourself in
court, where ethics and justice are not really the point.

Just let the process handle it. It's way simpler and far less likely to blow
up.

------
Someone1234
Because doing so would be illegal.

And why go to jail, literally, for trying to fix other people's mistakes? Few
have that little to lose.

Plus companies would claim they spend $$$$ fixing the "damage" you did (e.g.
reimage the machine, audits, management meetings about it). They'll claim they
"spent" $50K or something stupid after your "illegal break-in" and try to sue
you.

~~~
Prefinem
I guess in today's world, even doing something helpful, the means that may not
be "ethical" is seen as bad...

~~~
smeyer
I certainly wouldn't consider this helpful. I'd rather decide when and if to
undertake particular updates to my systems, not have someone else decide to
try (and possibly fail) to force one on me in an ad hoc manner.

------
nowarninglabel
There was actually a great short story in 2600 a few years back about a
security researcher using an exploit to create a worm that automatically
patched up the vulnerable systems. Quite enjoyable, anyone remember the name
of it?

~~~
aroch
[https://en.wikipedia.org/wiki/Welchia](https://en.wikipedia.org/wiki/Welchia)

------
runjake
Because that's hacking and totally illegal in most countries.

And this exact question was posted to Ask HN yesterday.

Edit: It looks like yesterday's discussion was flagged out of existence.

~~~
Prefinem
My bad, I never saw it... Didn't realize it was ever posted

