"ShellShock" - what are you doing?

Richard Gaskin ambassador at fourthworld.com
Sat Sep 27 14:22:32 EDT 2014 

Bruce Pokras wrote:
> this is really a non-issue for the vast majority of OS X users.

Most home CLIENT COMPUTERS are probably safe, but many other systems 
remain vulnerable, and with things like routers those can compromise 
internally-connected clients.

Steven J. Vaughan-Nichols at ZDNet has a good overview of the current 
situation this morning, with new tests to be run to check the latest 
patches - from the article:

    If you're just running a Mac laptop or desktop, you shouldn't have
    any worries. What Apple doesn't say, but is nonetheless true, is
    that if you're running a Mac server to provide network services such
    as a Web or Dynamic Host Configuration Protocol (DHCP) server, you're
    wide open to being attacked.
<http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/>

But most servers, which include some routers, will need to be updated.

I've been wondering why Apple takes much longer than other OS vendors to 
release critical security patches for such things, and it seems Ars 
Technica may have the answer:

     Chet Ramey, the maintainer of bash, said in a post to Twitter that
     he had notified Apple of the vulnerability several times before it
     was made public, "and sent a patch they can apply. Several 
messages."
     So it's not certain why Apple hasn't already packaged that fix for
     release, other than

     Mac OS X uses version 3.2.51.(1) of GNU bash, released in 2007; the
     current GNU release of the shell is bash 4.3. However, the current
     version is released under the GNU Public License version 3 (GPLv3).
     Apple has avoided bundling GPLv3-licensed software because of its
     stricter license terms, even dropping the open-source Windows
     networking service Samba from OS X server in 2011 because Samba had
     shifted to a GPLv3 license. Therefore, although patches for the
     vulnerability have now been pushed out for most open-source 
operating
     systems, Apple executives may feel they have to have their own
     developers make modifications to the bash code.
<http://arstechnica.com/security/2014/09/apple-working-on-shellshock-fix-says-most-users-not-at-risk/<

In addition to bash, the versions of apache, rsync, and other components 
shipping with the system are outdated versions that include many known 
security exposures.

With technical development apparently driven by legal considerations, 
Apple must single-handedly replicate large amounts of work the entire 
rest of the world has already done.

If you're using OS X as a server, you'll need to compile your own bash.  
Or simpler, just use Linux and have such things maintained for you 
easily and quickly.

And check your router manufacturer to see if they have a firmware update 
available.

-- 
  Richard Gaskin
  Fourth World Systems
  LiveCode training and consulting: http://www.fourthworld.com
  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
  Follow me on Twitter: http://twitter.com/FourthWorldSys

More information about the use-livecode mailing list