1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[SECURITY ALERT] Shellshock

Discussion in 'Bits & Bytes' started by Biker, Sep 26, 2014.

  1. Biker

    Biker Administrator Staff Member

    All Linux distributions as well as OS X are vulnerable to this one. This one's huge, bigger than Heartbleed. Initial patches are to lessen the severity of the bug, but expect to see several updates over the course of the next few days.

    Bourne Again Shell (Bash) Remote Code Execution Vulnerability | US-CERT

    Fixes are being pushed for each Distro (Mint has updated 3 times already). Make sure you're getting the updates, and if not, you can update manually using "patch" here: bug-bash (thread)

    Of course, Apple is saying the majority of OS X users are safe. **cough cough** Which means there probably won't be an OS X patch for months. Idiots.
     
  2. SixofNine

    SixofNine Jedi Sage Staff Member

    Keeping an eye on this because my wife has an iMac and a MacBook for her photography business.

    I would want to patch any vulnerability such as this ASAP no matter what my user profile, but that's me. I think what Apple is talking about is that its users have to configure advanced Unix services to be vulnerable. But that's no excuse not to patch ASAP.

    Hey, your "bash"-ing Apple again. :D
     
  3. Biker

    Biker Administrator Staff Member

    There's a lot more that's affected, too. Routers, Android devices, etc. Cell phones and tablets will be a huge headache as cell companies are extremely slow in pushing updates to operating systems.
     
  4. Allene

    Allene Registered User

    Does this affect iPhone? Also, no mention of Windows OS.
     
  5. SixofNine

    SixofNine Jedi Sage Staff Member

    Anything that runs the Unix operating system or one of its variants, which means that Windows is safe.

    Don't quote me, but I think that iPhones are safe because of the following:

     
  6. Allene

    Allene Registered User

    Thanks, that's good news for me.
     
  7. Greg

    Greg Full Member

    Shit, my network attached storage servers run Linux. I don't know if this affects me or not. In theory they are accessible by uPnP over the Internet but I think I have pretty much crippled them for that. Probably best thing to do is add in a router rule that they can't talk to the Internet.
     
  8. Biker

    Biker Administrator Staff Member

    Guess what, some routers are also going to be susceptible to this as well. ANYTHING with bash is vulnerable.
     
  9. Allene

    Allene Registered User

    Do you have information on which routers are vulnerable?
     
  10. Biker

    Biker Administrator Staff Member

    Unfortunately, no. However, it may be a wise idea to periodically check to see if there are updates available for whatever model you're using.
     
  11. Biker

    Biker Administrator Staff Member

    OK. Been doing some research on this and the majority of home routers are going to be using a Busybox derivative that shouldn't be vulnerable to shellshock. However, the more robust routers that businesses and ISPs use may very well be vulnerable and they're able to run bash.

    Your typical home router doesn't have the horsepower to run bash, so rest easy. :)
     
    cmhbob likes this.
  12. tke711

    tke711 Oink Oink Staff Member

  13. Allene

    Allene Registered User

    Yay! Thanks. Mine cost about $100.

     
  14. Greg

    Greg Full Member

    I remember when Apple users were laughing at all the vulns Microsoft had, IMO more due to the vastly larger numbers of MSFT users makes cracking them more worth the cracker's time. Linux wasn't even on the map then.

    Fast forward to today: I was notified a few months ago that my credit card may have been compromised because Target got cracked, and they offered me a year of free credit monitoring service (which I accepted). Now just a few days ago Home Depot has notified me that my credit card may have been compromised, and they too have offered me a year of free credit monitoring service (which I will also accept). In both cases Discover notified me that I was being sent a new credit card with a different number. Now I'm going to have to go all over the Internet changing my various utilities, phone service, cellphone, etc. to use the new CC number.

    I believe in the Target case their system was based on Microsoft Windows.
     
  15. tke711

    tke711 Oink Oink Staff Member

  16. Allene

    Allene Registered User

    My iPhone5 offered me the privilege of updating to 8.0 today. Wonder how many people will accept that offer?
     
  17. Greg

    Greg Full Member

    I'm still on 6. I don't want to do anything to my phone that I can't reverse. I like it the way it is now. Anyway I'll probably get a iPhone 6 in a few months, when my contract expires and I can get a subsidized new phone.
     
  18. SixofNine

    SixofNine Jedi Sage Staff Member

    Picked this up in a newsletter:

     
  19. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    I pulled the trigger on my 5s with no issues. Backup in itunes. Wipe phone. Update. Restore.
     
    ethics likes this.
  20. Allene

    Allene Registered User

    That's good to know, but my iPhone 6 is arriving around 10/9. so I don't want to bother upgrading a phone I won't be using in another week.
     

Share This Page