09-26-2014, 09:43 PM
|
#1
|
|
Franchise Player
Join Date: Jul 2003
Location: Sector 7-G
|
Shellshock *nix Vulnerability
Wow - another massive vulnerability in the supposedly more secure *nix and OSX operating systems... Patch, Patch, Patch folks.... Amazing that this vulberability could have existed for 25 years....
Quote:
A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems and, thanks to their ubiquity, the internet at large.
It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.
The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way including any child processes spawned by the scripts are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.
Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway. It's essential you check the shell interpreters you're using, and any Bash packages you have installed, and patch if necessary.
|
http://www.theregister.co.uk/2014/09...sh_shell_vuln/
It's definately not everyday you can say this:
Quote:
The only people who dont have to worry about it are people who are running Windows consumers PCs or devices that are smaller than five centimetres by five centimetres, Prof. Skillicorn said.
Absolutely everything in between is almost certainly affected.
|
http://www.theglobeandmail.com/techn...board/follows/
|
|
|
|
09-27-2014, 06:59 AM
|
#2
|
|
Scoring Winger
Join Date: May 2008
Location: Syracuse, NY
|
What? No waiting for Patch Tuesday?!?!?
__________________
...Rob
The American Dream isn't an SUV and a house in the suburbs;
it's Don't Tread On Me.
|
|
|
|
|
09-27-2014, 09:28 AM
|
#3
|
|
Franchise Player
Join Date: Oct 2010
Location: Calgary
|
Thank goodness this was discovered earlier and people can do something about it. Heartbleed it was more people found out about it after the fact it had already been widely exploited no?
As far as I can tell, this would affect everything including routers, web servers and all sorts of networking equipment that used embedded linux/Unix as well. Hopefully everything gets patched pretty quick but there will always be private things or companies with lazy/oblivious employees.
I really wonder if this is one of those "NSA purposely left wide open exploits" that someone just happened to discover now.
Last edited by FlameOn; 09-27-2014 at 09:32 AM.
|
|
|
|
|
09-29-2014, 12:20 PM
|
#4
|
|
Franchise Player
Join Date: Aug 2005
Location: Violating Copyrights
|
Most Mac OS X (and probably Linux users) aren't affected unless they've enabled some Unix services.
You can run this in the Terminal to check:
Code:
env x='() { :ignored function;}; echo this should not show' bash
You would also have to be running some sort of software that can be run over the Internet and can invoke Bash when run.
Server owners should be worried. Home users not so much.
|
|
|
|
|
09-29-2014, 12:51 PM
|
#5
|
|
In the Sin Bin
|
Quote:
Originally Posted by FlameOn
Thank goodness this was discovered earlier and people can do something about it. Heartbleed it was more people found out about it after the fact it had already been widely exploited no?
As far as I can tell, this would affect everything including routers, web servers and all sorts of networking equipment that used embedded linux/Unix as well. Hopefully everything gets patched pretty quick but there will always be private things or companies with lazy/oblivious employees.
I really wonder if this is one of those "NSA purposely left wide open exploits" that someone just happened to discover now.
|
The problem with shellshock isn't so much that it was caught before widespread exploitation, but in the fact that it is an exploit of ancient code within Bash that related to features nobody even really uses. So far, there are at least four separate CVE articles assigned to various aspects of this - they patched for one test case, then discovered another, and another, and another...
So now we probably have a race between security researchers and "hackers" to find other exploits in ancient code. It's almost looking like fighting a hydra. Cut off one head, discover another.
As an aside, I am loving the fact that Windows PCs are unaffected, but Macs have some risk. Minimal as it is, there are people freaking out because Apple doesn't have a patch yet.
|
|
|
|
|
The Following 2 Users Say Thank You to Resolute 14 For This Useful Post:
|
|
|
09-29-2014, 09:37 PM
|
#6
|
|
Franchise Player
Join Date: Aug 2005
Location: Violating Copyrights
|
Apple has released a security update for Lion, Mountain Lion, and Mavericks.
|
|
|
|
|
09-30-2014, 12:38 PM
|
#7
|
|
In the Sin Bin
|
Ugh. Of all the reasons I hate Apple, the need to always refer to each revision of OSX by its codename is near the top.
|
|
|
|
|
09-30-2014, 01:03 PM
|
#8
|
|
#1 Goaltender
Join Date: Oct 2009
Location: North of the River, South of the Bluff
|
Quote:
Originally Posted by Resolute 14
Ugh. Of all the reasons I hate Apple, the need to always refer to each revision of OSX by its codename is near the top.
|
You mean like:
Cupcake (1.5)
Donut (1.6)
Eclair (2.02.1)
Froyo (2.22.2.3)
Gingerbread (2.32.3.7)
Honeycomb (3.03.2.6)
Ice Cream Sandwich (4.04.0.4)
Jelly Bean (4.14.3.1)
KitKat (4.44.4.4)
|
|
|
|
|
The Following 4 Users Say Thank You to OldDutch For This Useful Post:
|
|
|
09-30-2014, 02:24 PM
|
#9
|
|
Franchise Player
Join Date: Aug 2005
Location: Violating Copyrights
|
Quote:
Originally Posted by Resolute 14
Ugh. Of all the reasons I hate Apple, the need to always refer to each revision of OSX by its codename is near the top.
|
That's a strange thing to hate. You should see someone about that.
|
|
|
|
|
10-01-2014, 03:49 PM
|
#10
|
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
|
|
10-01-2014, 07:30 PM
|
#12
|
|
In the Sin Bin
|
Quote:
Originally Posted by Barnes
That's a strange thing to hate. You should see someone about that.
|
Its more of the same pretentious nonsense Apple is known for, and just as stupid in Android. Just dumb that I have to cross reference what version number a computer is giving me against a list of random cat names to figure out which patch to apply.
|
|
|
|
|
10-01-2014, 11:07 PM
|
#13
|
|
Franchise Player
Join Date: Aug 2005
Location: Violating Copyrights
|
Quote:
Originally Posted by Resolute 14
Its more of the same pretentious nonsense Apple is known for, and just as stupid in Android. Just dumb that I have to cross reference what version number a computer is giving me against a list of random cat names to figure out which patch to apply.
|
Oh? I just click app store and then update.
Its users who started using codenames to refer to versions because they were always announced at WWDC which is where developers are who tend to use codenames. OSX has wine based codenames internally. It's not new, unique, or pretentious.
My favorite was Capone (System 7.5) because he ruled Chicago (Windows 95).
Last edited by Barnes; 10-01-2014 at 11:16 PM.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -6. The time now is 01:24 PM.
|
|
