Bruce Pokras wrote:
this is really a non-issue for the vast majority of OS X users.
Most home CLIENT COMPUTERS are probably safe, but many other systems
remain vulnerable, and with things like routers those can compromise
internally-connected clients.
Steven J. Vaughan-Nichols at ZDNet has a good overview of the current
situation this morning, with new tests to be run to check the latest
patches - from the article:
If you're just running a Mac laptop or desktop, you shouldn't have
any worries. What Apple doesn't say, but is nonetheless true, is
that if you're running a Mac server to provide network services such
as a Web or Dynamic Host Configuration Protocol (DHCP) server, you're
wide open to being attacked.
<http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/>
But most servers, which include some routers, will need to be updated.
I've been wondering why Apple takes much longer than other OS vendors to
release critical security patches for such things, and it seems Ars
Technica may have the answer:
Chet Ramey, the maintainer of bash, said in a post to Twitter that
he had notified Apple of the vulnerability several times before it
was made public, "and sent a patch they can apply. Several
messages."
So it's not certain why Apple hasn't already packaged that fix for
release, other than
Mac OS X uses version 3.2.51.(1) of GNU bash, released in 2007; the
current GNU release of the shell is bash 4.3. However, the current
version is released under the GNU Public License version 3 (GPLv3).
Apple has avoided bundling GPLv3-licensed software because of its
stricter license terms, even dropping the open-source Windows
networking service Samba from OS X server in 2011 because Samba had
shifted to a GPLv3 license. Therefore, although patches for the
vulnerability have now been pushed out for most open-source
operating
systems, Apple executives may feel they have to have their own
developers make modifications to the bash code.
<http://arstechnica.com/security/2014/09/apple-working-on-shellshock-fix-says-most-users-not-at-risk/<
In addition to bash, the versions of apache, rsync, and other components
shipping with the system are outdated versions that include many known
security exposures.
With technical development apparently driven by legal considerations,
Apple must single-handedly replicate large amounts of work the entire
rest of the world has already done.
If you're using OS X as a server, you'll need to compile your own bash.
Or simpler, just use Linux and have such things maintained for you
easily and quickly.
And check your router manufacturer to see if they have a firmware update
available.
--
Richard Gaskin
Fourth World Systems
LiveCode training and consulting: http://www.fourthworld.com
Webzine for LiveCode developers: http://www.LiveCodeJournal.com
Follow me on Twitter: http://twitter.com/FourthWorldSys
_______________________________________________
use-livecode mailing list
[email protected]
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
