Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

bawbac said:
As time marches on, those 2 items are becoming less of a part of Apple products.

It's odd that a company so controlling over every little detail would use free stuff that's available for anyone to look at the SOURCE!
Click to expand...

Your outrage is un-necessary. If you were truly angry, could you tell us what DSL/Cable Router you use? 95% of the home routers out there use a form of embedded BSD or Linux. Thus, all of them are affected. You should levy your anger also at companies like Linksys, Tp-Link, Dlink, Netgear, ASUS and the likes. I highly doubt many of the 2-3 yr old routers will get any form of patches.

I'd be more scared of a broken front facing Internet router than a mac behind a firewall. Your gateway to the Internet would be the first vector of attack.

The thing I am worried about are the switches and routers we currently have. Same with hypervisors and embedded Internet appliances.
 
fortysomegeek said:
Your outrage is un-necessary. If you were truly angry, could you tell us what DSL/Cable Router you use? 95% of the home routers out there use a form of embedded BSD or Linux. Thus, all of them are affected. You should levy your anger also at companies like Linksys, Tp-Link, Dlink, Netgear, ASUS and the likes. I highly doubt many of the 2-3 yr old routers will get any form of patches.

I'd be more scared of a broken front facing Internet router than a mac behind a firewall. Your gateway to the Internet would be the first vector of attack.

The thing I am worried about are the switches and routers we currently have. Same with hypervisors and embedded Internet appliances.
Click to expand...

Routers, Rasberry Pis, some NASes, Smart TVs (most notably from Samsung), among others. All potentially vulnerable to the same thing. QNAP just had a major blue with this, and if you can ssh into any of these where bash may exist, your vulnerability just got bigger.

BL.
 
fortysomegeek said:
Your outrage is un-necessary. If you were truly angry, could you tell us what DSL/Cable Router you use? 95% of the home routers out there use a form of embedded BSD or Linux. Thus, all of them are affected.
Click to expand...
Another sweeping generalisation. Many do not use bash, they use ash or some other lightweight shell.
 
Skoal said:
Apple tends to not announce patches until they are available. You know this I'm sure and no not all Unix/Linux systems are patched yet.
Click to expand...

Same with Linux distros - in fact, with all software vendors.

What's your point?
 
Status...

Ican really understand all the excitement of the last days but what is the status of this topic here.

Is it still relevant?

I have Java, Apache and much other stuff installed and i feel very uncomfortable because of this nebula situation.

Thanks
 
evilaci said:
Ican really understand all the excitement of the last days but what is the status of this topic here.

Is it still relevant?

I have Java, Apache and much other stuff installed and i feel very uncomfortable because of this nebula situation.

Thanks
Click to expand...

If you haven't patched, it is still very relevant.

The Apache servers I maintain at work are constantly getting attacked by people looking for shell scripts being used for CGI scripts. Since we don't use them for CGI, I have mod_cgi disabled. If you use them and have mod_cgi enabled, they have the vector to attack you.

Having them installed does not mean having them secured.

BL.
 
evilaci said:
Ican really understand all the excitement of the last days but what is the status of this topic here.

Is it still relevant?

I have Java, Apache and much other stuff installed and i feel very uncomfortable because of this nebula situation.

Thanks
Click to expand...

The status of the topic is that it now takes less time to apply the patches from apple, than ask questions like "Is it still relevant?"

That is assuming that you care about security enough to be running a recent version of OS X and can search for the bash updates here:
http://support.apple.com/downloads/

If you are running apache with mod_cgi then that is one potential attack vector. Some more potential attack vectors and proof of concepts which may or may not work can be found here if you want to experiment:
https://github.com/mubix/shellshocker-pocs

To check bash itself, you can try this one:
https://github.com/hannob/bashcheck

Summary: just apply the patches.

EDIT: of course java and apache can have their own problems which are not related to bash.
 
Thanks

bradl said:
If you haven't patched, it is still very relevant.

The Apache servers I maintain at work are constantly getting attacked by people looking for shell scripts being used for CGI scripts. Since we don't use them for CGI, I have mod_cgi disabled. If you use them and have mod_cgi enabled, they have the vector to attack you.

Having them installed does not mean having them secured.

BL.
Click to expand...

Yes thanks and Alex0002 too!

I understand you. My point was just related that the fix is not in the Apple Update after all the media hyper spectacle and i checked the last 10 days via the Apple Update.

So i do myself hard to describe the situation: Do i have to take care now about fixes which are on Apple support pages too, or is only trusting and checking the Apple Updater enough for me as a user?

For me i get almost the feeling that they act on purpuse strange if they handle this as they handle it now.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back