Loading...
> >

OT: Bash bug - hope our servers are secure.

ArtiniArtini Posts: 9,455
edited September 2014 in The Commons

Have just found information about new bug discovered - this time Linux, Apple Macs
and some Android, Windows and IBM machines are affected.
Say hello to the bash bug, a lesson in why Internet-connected devices are inherently unsafe.
http://money.cnn.com/2014/09/24/technology/security/bash-bug/index.html

Post edited by Artini on

Comments

  • bytescapesbytescapes Posts: 1,841
    edited December 1969

    If my lightbulb is spawning a bash shell, then I deserve everything I get.

    Just for reference, no distributed exploits for the so-called Shellshock bug (which affects the bash shell interpreter, a widely-used piece of software on Linux systems) have yet been reported. It is a serious threat, and there will be exploits. But contrary to the breathless tone of the article, no lightbulbs have yet been compromised, and the RedHat security warning does not describe it as 'catastrophic'.

    For the record, I manually patched two servers against Shellshock this morning. Took me about a minute for each one, including the time required to log in.

    TL;DR: it's real, it's nasty, but fixes are already available and are easy to apply; lightbulbs are not thought to be at special risk.

  • WilmapWilmap Posts: 2,917
    edited December 1969

    My son patched our server today. Didn't take long.

  • StratDragonStratDragon Posts: 3,167
    edited December 1969

    Mac users, for what it's worth:
    http://www.computerworld.com/article/2476148/cybercrime-hacking/apple-has-no-heart--bleed-.html

  • bad4ubad4u Posts: 684
    edited September 2014

    angusm said:
    [...]

    TL;DR: it's real, it's nasty, but fixes are already available and are easy to apply; lightbulbs are not thought to be at special risk.

    Recent patches are incomplete, so there is no full solution available yet.

    https://access.redhat.com/articles/1200223

    Post edited by bad4u on
  • bad4ubad4u Posts: 684
    edited September 2014

    angusm said:
    [...]
    Just for reference, no distributed exploits for the so-called Shellshock bug (which affects the bash shell interpreter, a widely-used piece of software on Linux systems) have yet been reported.

    That's also not correct - at least no longer.

    https://gist.github.com/anonymous/929d622f3b36b00c0be1

    A DDoS botnet already has been reported to use the vulnerability. Beside that on Github you can find a metasploit module (though that affects VMWare virtual machines on Mac) and another to scan for vulnerable systems on the net.

    Post edited by bad4u on
  • robkelkrobkelk Posts: 3,259
    edited September 2014

    angusm said:
    ... and the RedHat security warning does not describe it as 'catastrophic'.
    Them somebody at RedHat needs to write better security warnings. This is a CVSS level-10-critical vulnerability; they don't get any more catastrophic than that. This allows unauthorized disclosure of information, unauthorized modification of systems, and disruption of service to unauthenticated users (i.e. people who don't login to the system).

    On the positive side, Windows appears to be unaffected by this one.

    Post edited by robkelk on
  • StratDragonStratDragon Posts: 3,167
    edited December 1969

    Patch for Mac OS is here

    http://support.apple.com/kb/HT1222

    this the link at the tool
    "OS X Base update 1.0"

  • ArtiniArtini Posts: 9,455
    edited December 1969

    Thanks, You mean: "OS X bash Update 1.0"

Sign In or Register to comment.