Apple releases important update

Status
Not open for further replies.
Joined
Mar 5, 2003
Messages
8,461
Location
Colorado
Apple has released an update to defend against Shellshock, according to Intego. I am impressed. That is quick.

I checked the Apple App Store for the update and it is still not listed, but Intego is in France. So maybe because they are one day ahead the update will not be released until tomorrow in the USA. Anybody running Mac OS X should get the update.
 
What happened a little while ago? There were something like three posts here and the posts disappeared! Did you notice that? It was strange.

The update fixes a security issue that came up very recently and involved Unix, Linux, BSD, and Mac OS X computers (and some router/modems).
 
Originally Posted By: Mystic
What happened a little while ago? There were something like three posts here and the posts disappeared! Did you notice that? It was strange.

At least I know I'm not just seeing things!
wink.gif
 
Yeah, you are not seeing things. There were at least three posts after my post to start the thread and I tried to post and there was a message that I was banned from posting in this post. And all of the posts except for the one that I started the thread with were gone!
 
Originally Posted By: Mystic
Yeah, you are not seeing things. There were at least three posts after my post to start the thread and I tried to post and there was a message that I was banned from posting in this post. And all of the posts except for the one that I started the thread with were gone!

Well that is good... I know it was a long day at work and class, but not that long to be seeing things.
smile.gif
That is very strange though.
 
The first reply was beyond irrelevant and it started down that path so the post and replies were removed. I get that it was an attempt at a joke, but security updates are important regardless (I haven't looked into this one personally), and shouldn't be derailed at least not right off the bat.l

The intent was to ensure a little bit of relevant technical discussion before anything else.
 
That's JHZR2. I did not know what was going on. Now I feel a lot better. Because I didn't know if someone somehow was messing around or exactly what was going on.

That upgrade is pretty important. I am glad that Apple fixed it so fast. That makes me feel pretty good because with some issues in the past they were pretty slow.

The problem is, for everybody on the internet, regardless what operating system is being used on your desktop, the SERVERS on the internet, if they are Unix or Linux or even Mac OS X servers, can potentially be attacked. This is being called Shellshock and it is much more serious than the other problem involving Linux servers a while back.

It looks to me that the hackers are turning their attention to the server computers running the internet. And most of those servers (about 66% or so) are Linux operating system servers.
 
It is strange that this Mac update so far at least has not been available at the Apple App Store. I was informed about the update by Intego (Intego is in France) and they directed me to an Apple web page. That is where I got the update.
 
Originally Posted By: Mystic
the SERVERS on the internet, if they are Unix or Linux or even Mac OS X servers, can potentially be attacked.


Patches were out for Linux and UNIX-like OS's about 24 hours after the announcement of the vulnerability was made. (That's the power of thousands of nerds who work to make the software the best they can, in an open environment that encourages collaboration!) I can't imagine any server out there remaining unpatched unless it had been abandoned or is astonishingly poorly administered; which should rule out almolst all of the mainstream sites we use. I'd bet my bottom dollar that the server running this very site was patched the instant the patch was issued.
 
Originally Posted By: Mystic
It is strange that this Mac update so far at least has not been available at the Apple App Store. I was informed about the update by Intego (Intego is in France) and they directed me to an Apple web page. That is where I got the update.


Wouldn't it be pushed out through MacOS's normal Software Updater? This is not the kind of thing Apple should be expecting their users to go get and install manually!
 
I am not trying to attack Linux operating systems or Unix or whatever. I am not as optimistic as you are. According to what I have been able to find out many servers still have not been updated to defend against that last vulnerability, whatever it was called. I can't remember off hand. There are hundreds of thousands of servers on the internet. What makes you think every Mom And Pop website, where the owners set up their own server, are going to keep their server/servers updated?

In the case of Apple Computers running Mac OS X, it is my understanding that there are STILL many Apple computers that have the Flashback Trojan on them. Over 600,000 computers were probably infected by that.

It is even more dangerous when servers are attacked than when a desktop computer is attacked. Because a server will often have passwords from many customers computers and often personal information, such as perhaps credit card information, etc.

I can't explain why (at least the last time I checked) the Mac update for Shellshock was not at the Apple App Store. I had to get it at an Apple web page that Intego directed me to. I guess I am lucky that I use VirusBarrier. I can thank the French. VirusBarrier is a French product.

The fact is, regardless if we are talking Windows computers and Windows, or Linux servers, or Mac computers, or whatever, sometimes it is a very long time, if ever, that computers get updated with important security updates. That is not some attack on Linux or whatever. Notice I said Windows computers also. Somehow there are many computers that do not get important security updates. There have been cases in the Windows world, for example, where security updates were available years before and there were STILL computers on the internet that had not been updated. That is difficult to believe unless some people turn off automatic updates. Or maybe they are using pirated software and can't get updates. I don't know.

So you can see I am not attacking Linux. What I am saying is there is a serious problem with computers not getting important security updates. And the problem is worse if the computers are server computers.
 
Originally Posted By: Mystic
I am not trying to attack Linux operating systems or Unix or whatever. I am not as optimistic as you are. According to what I have been able to find out many servers still have not been updated to defend against that last vulnerability, whatever it was called. I can't remember off hand. There are hundreds of thousands of servers on the internet. What makes you think every Mom And Pop website, where the owners set up their own server, are going to keep their server/servers updated?

Most will be automatically updated, as was already mentioned. The only ones I'd worry about much were ones that were running proprietary software where the administrator turned off automatic updates because he was worried that kernel updates might break the proprietary software. The average server running normal software obtained through normal channels will not have an issue.
 
Originally Posted By: Mystic
What makes you think every Mom And Pop website, where the owners set up their own server, are going to keep their server/servers updated?


Mom and Pop web sites are very, very, very rarely hosted on dedicated servers administered by MOm and Pop. They are almost exclusively on shared on virtual machine systems that are administered by big companies with IT staff that are on top of this stuff. I highly doubt that anyone associated with BITOG is updating the kernel or bash - It is up to the hosting provider to provide the hosting environment.

Originally Posted By: Mystic
The fact is, regardless if we are talking Windows computers and Windows, or Linux servers, or Mac computers, or whatever, sometimes it is a very long time, if ever, that computers get updated with important security updates.


That is certainly the case in the closed-source world, where fixes are only crafted and issued it if is deemed necesary for PR or profit. History and experience indicate that in the open-source world these things are disclosed and fixed immediately because there is nothing to hide from users - because the OS and peripheral software exist and are made for the **benefit** of the user, not to extract more money from them. With everyone on the same side there is no reason and no purpose for secrecy or delay.
 
Well uc50ic4more, I am not trying to argue with you. But that last vulnerability with Linux servers went undiscovered for a long period of time. I think it was something like two years but I can't remember exactly without doing some research. The new vulnerability, which is being called Shellshock by some, is even more serious and can affect Unix, Linux, BSD, and Mac OS X servers and potentially even Mac desktop computers, and even some router/modems.

You can put down Windows, Microsoft, and Bill Gates all you want to, and they are certainly far from perfect. But in the case of Linux servers I don't think there are enough people watching the store. Open Source or not, and people able to check out the software or not, the last security vulnerability went completely undiscovered for a long period of time. Sorry, but nobody was checking the software for any problems. A mistake in programming was made and it went undiscovered for a long time. And this affects all of us. It does not matter if somebody likes or dislikes Linux or whatever. Something like 66% of the servers on the internet use some version of Linux.

And I came across some articles a while back where various experts were saying that several Linux servers had not been updated to correct for that last vulnerability. I did not think I would need to have quotes available from those articles so I would now have to research it so I could find quotes for you.

Sorry, but I do not share your optimism that these problems are going to be corrected.

There are too few defenders and too many attackers. And the attackers seem to have more resources than the defenders.

If we want security on the internet there will have to be major changes. There will have to be a huge increase in funding for Linux programming if we are going to use mostly Linux servers on the internet. And somebody will actually have to be taking very good looks at all programming for any mistakes or vulnerabilities. Because these attackers have a lot of resources and they are checking everything very carefully, and we simply can't afford to continue the way we have been going.

This is no attack on Linux. These are the simple facts. I personally don't care much for Linux and Open Source Software, but we must make darn sure that the servers on the internet are secure, regardless if they are Windows servers or Linux or whatever. If the server computers can be attacked that is a much more serious issue than a personal computer somewhere being attacked.
 
http://en.wikipedia.org/wiki/Shellshock_(software_bug)

http://en.wikipedia.org/wiki/Heartbleed

http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/

https://securelist.com/blog/research/66719/shellshock-and-its-early-adopters/

http://blog.trendmicro.com/trendlabs-sec...active-irc-bot/

http://h30499.www3.hp.com/t5/HP-Security...94#.VC2Z7_MtCUk

https://www.us-cert.gov/ncas/alerts/TA14-268A

I am just an old man and I don't know much. Let me know if you need more sources of information. Pay careful attention to the third source where apparently this vulnerability was in the code for two decades, according to that source. I am in the process of locating additional sources of information. There is also information at The Safe Mac, Krebs on Security, and so forth.

Maybe it is time for software to be carefully checked for vulnerabilities, regardless if that software is open source or closed source.
 
This Shellshock vulnerability could be used by the NSA. It is supposed to be very easy to employ.

I wonder how many years the NSA may have known about it. The vulnerability has apparently been in open source software for twenty years.
 
Status
Not open for further replies.
Back
Top