Warning to Linux and Apple users [CVE-2014-6271 & CVE-2014-7169]

Author Comment
User avatar

Posts: 2263

3.4MB didn't raise my eyebrows as being small. After checking, I see that Bash in Mavericks is 614K in size.

I still don't see the Bash fix in my software updates; I'm wondering why that's lagging. There was a brief but widespread iCloud outage yesterday; maybe pushing the update is connected to that issue.

I stumbled upon a Bash history file in my home folder. It was modified yesterday because I used cal. It was previously modified about three weeks ago, also because I used cal. Going though it, everything in that history was stuff I did. It's definitely possible that "stuff I did" is all that file covers, though.

I would hope that users who know enough to use "advanced UNIX services" would know to install a fresh OS with default settings when passing a machine along to a new owner. Of course, there'd be no guarantees.

User avatar

Admin

Posts: 11073

bash is not in auto updates because Apple use bash in the process! LOL

Exactly! If bash is 614kB, what the heck is the rest of all that? The patch for one OS ten times the size of the other two.

The iCloud outage? I was just wondering how that all worked. I presume a local machine has some form of server running on it, so that it can synchronize, then I wonder if that is like most other servers and uses bash. The outage could well have been Apple patching their own servers. Perhaps not directly to bash but other security related changes?

You should be able to get your history by typing "history" in Terminal and pressing enter.

My line of thinking is more along the lines of people who bought a Mac, probably years ago and it was the only machine in the house. The mentality is that Macs are safe. While it continues to work, they never bother about a thing! These people may have had kids at the time of purchase and all sorts of things would have been installed and modified. They don't want them any more, they remove them. This can still leave dependencies installed, as well as configuration changes. These people are generally not experts. If something doesn't work, they may dig into something and play with it. Their issue is resolved and they don't undo all the changes they made along the way. There really are quite a lot of older people out there that bought a computer for life and are still using it.

On these systems, autoupdates just silently stopped. Many are none the wiser.

Granted, webpages must look heck of a weird these days but that is likely someone else's fault!

Take Snow Leopard as an example. 25% of Apple users were using Snow Leopard in March 2014 That was first released only 5 years ago and no longer gets updates. Reasons given there are business oriented. People know they can get a good machine at a bargain price. They can also run their older versions of Adobe products on these and not have to pay to upgrade (probably to a less desirable product too).

ALL OS X systems are potentially vulnerable and quite likely, the older they are, the more vulnerable they will be.

This is NOT a good message to send to potential purchasers. Granted, many of these people could upgrade to Mavericks and many for free but a) do they know how? and b) do they want to?.

What's the message here? Apple build a machine that will last 20 years or more BUT they will not support it and after four plus years, you are on your own? Surely this raises questions about whether it is worth the extra for the quality?

If I were an Apple Owner I would be asking WHY Apple did not issue an immediate and clear statement? I would also ask why it took them a week longer to do something than anyone else?

Not asking for transparency here, just straightforward openness, honesty and timeliness.

This then raises the question of WHY they don't? This is a known issue. Not like hiding it makes people less vulnerable. Are there things they do not wish to admit to?

Not being funny here or accusatory but hypothetically speaking, suppose Apple use bash on iOS, only they renamed it aplsh? People cannot find the bash program because it is not called that. The same vulnerability would exist, only it would have to be accessed differently in order to be an issue. Keeping quiet means do not well people that aplsh is the same as bash. In that way, an iOS device *could* be claimed to be safe. The vulnerability could still be there though.

I'm sorry but the silence here just smells of a coverup of some form.

How do people find out about these bash updates that have just been made available?

What about good Customer Service and make downloadable patches for no longer supported OSes?

To a point, I agree that remaining silent on a security related issue is wise but only until the issue has been resolved. In this case, the full detail of the vulnerability was already known worldwide. There is absolutely no GOOD reason to not issue a clear statement in this case ... UNLESS something is being hidden.

People have GOT to ask questions here!

Shellshock was disclosed on 24 September 2014. Our host patched the servers on the 24th.

What the heck are Apple doing? LOL

Admittedly, patches are deemed temporary but they are still worth having. No reason why Apple could not have made these patches available too. Something better comes along, withdraw one and release another. Why leave these things to chance?

I'll get off my soapbox now!

User avatar

Admin

Posts: 11073

And back on it again...

None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.
Source

That is a snippet from the last non-marketing press release by Apple.

Twenty percent said they are now less confident storing photos and data
in an Apple cloud service, and 40% said they are less confident doing so
with any cloud service.
Source

Clearly, people are losing trust.

The coup de gras? Could this and shellshock possibly be related?

Really, they are doing themselves harm and no attempt to mitigate the damage? Something very strange going on here.

Various sources say 2,925,249,355 is the approximate number of Internet users this year.

NetMarketShare shows: 5.54% = 162,058,814 of OS X users have had patches made available to them and 1.2% = 35,102,992 are running unsupported and vulnerable OS X.

The stats are grossly flawed because mobile percentage was not removed. If one estimates this as 50% - which is reasonable - that means Apple are neglecting around 17 million people.

They do have the ability to contact these people. They could also make some press effort. The risks to these people are highly likely to be more than the risks to unpatched and supported OS X systems.

Given the serious nature of this flaw, exploited machines can gain access to other networked devices. This could even be turned into a massive botnet.

Perhaps Apple just do not know what to do for the best right now? Doing nothing is only harming them. There has to be a reason for the silence on this. The stakes are pretty high, so it must be a whopper!

User avatar

Admin

Posts: 11073

Simon Says... (Written by Dreamhost CEO Simon Anderson!)
On September 24, something big happened that caused ripples of panic around the unmanaged server world. Security flaws in the popular Unix Bash shell were discovered that could enable hackers to gain unauthorized access to Unix-based computer systems. This vulnerability became menacingly known as "Shellshock".

But do not fear, DreamHost was ready to protect your servers and your data!

As a full service managed web host, we actively manage the operating systems on our servers with extreme (yes, extreme) vigilance to patch security flaws as soon as they are identified. So, in the early morning of September 24, our security team swung into action and rapidly patched the vulnerability.

Over the next few days, swarms of hackers and botnets around the world attacked other companies' servers that were still vulnerable, and it caused a gnashing of teeth and tearing out of hair.

Vigilance and speed are key in protecting your sites, applications and data, and we're proud of our security team (aka Nightmare Labs) for being ready and acting super fast. Systems security is a science and an art, but ultimately it's talented, resourceful people that make us all safe.

The right way to handle things!

I found the page on the "OS X bash Update 1.0". As various other sites have confirmed, Apple's bash patch is incomplete.

When people's security is at stake, one does not sit around for 5 days knowingly leaving them vulnerable, when a solution is already available.

"In certain configurations, a remote attacker may be able to execute arbitrary shell commands" (AAPL)

Many Users are unaware what "advanced UNIX services" are. They sure will find a way to achieve a result that they want though, which will entail use of "advanced UNIX services", both unseen and unlabelled.

During Apple’s (AAPL) earnings conference call on Wednesday, it was revealed that Apple now has about 800 million iTunes accounts.
Source
This confirms my estimated figured above must be close.

An example: Apple "Web Sharing". Easily turned on from the sharing panel in any version prior to OS X Mountain Lion (version 10.8) [July 2012].

User avatar

Posts: 2263

I can definitely see where people are wary about cloud storage after the photo thing. My recollection is that this affected several services and that the "breach" mainly involved security lapses on the part of individuals. When multiple sites are successfully attacked like that, a common cause is using the same password on more than one site.

Having said that, Apple (and other sites) need to do a better job of protecting us from ourselves. How about disabling the ability to log in after several failed attempts?

I had forgotten about Web Sharing, but I did think that there might be something in the GUI that could open up this issue. Most users won't find a need to check anything in that panel, but I could see people who need to check one or two items deciding to check everything.

I thought about the 3.4MB download. I'm betting that most of it is the installer.

Snow Leopard definitely should have been patched, even though it's been retired. It's a pretty straightforward patch that doesn't have a lot of potential to break anyone's OS.

How are we able to tell that the patch is incomplete?

EDIT: ^^ I found a couple of articles that answer this:

Apple issues incomplete OS X patch for Shellshock

Apple's Shellshock patch for Macs is incomplete, says security researcher

User avatar

Admin

Posts: 11073

1992casey wrote:How about disabling the ability to log in after several failed attempts?
It's been added.

Imagine someone trying to fileshare with another device, even their TV? Just find a way to make it work and that's as much thought as is given. Ever reverted when not used? Out of sight and out of mind!

So, one installer is ten times the size of the other two?

Patches should be available for all! This should be made both known and easy.

http://support.apple.com/kb/HT6495 only references CVE-2014-6271 & CVE-2014-7169. Both patches are only partial.

Ref 1
Ref 2
Ref 3
more...

To be clear, I am saying that approximately 17 million "retired" OS X Apples are out there in use, connected to the Internet, vulnerable and a percentage of these are at risk. This risk here is possibly higher than the risk to the three currently supported OS X versions.

User avatar

Posts: 2263

So, one installer is ten times the size of the other two?

That's a typo. Apple lists the file sizes as 3.5MB (Lion) 3.3MB (Mountain Lion), and 3.4MB (Mavericks).

I'm not sure where you got your information. If it came from Apple's site, it's been corrected. If it came from elsewhere, the 34MB number is probably the result of someone having a shaky typing finger. :)

User avatar

Admin

Posts: 11073

Hahahaha! I don't recall either.

Thanks.

ETA: It was appleinsider.

Display posts from previous:  Sort by  



Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group