Page 1 of 1

Apple OSX update 10.9.5 - Key security update

Posted: Tue Sep 30, 2014 8:19 pm
by 8string
Just received notification from Apple that 10.9.5 security update to fix the PHP vulnerabilities that could lead to exploitation of the Bash command under both OSX and Linux. This is a serious bug known by the name "Shellshock" that should have everyone updating as soon as possible, though at present it is not being widely exploited. The knowledge of this bug now will likely lead to exploitation by the bad guys out there. I updated tonight.

More info from Apple here
along with other recent security updates here...

It's really worth staying up on current OS X upgrades. 10.9.4 and 5 have been highly stable for me.

Re: Apple OSX update 10.9.5 - Key security update

Posted: Wed Oct 01, 2014 7:49 am
by Stephen Hart

Re: Apple OSX update 10.9.5 - Key security update

Posted: Thu Oct 02, 2014 5:49 am
by 8string
FROM WINDOWS SECRETS: one of the better and long lived places that helps advanced technical Windows users: ... ou-and-me/

The good news is that most of reading this board likely don't use Bash on our Macs. But likely are unaware of it's use in our routers, especially if you use a Cisco router. But the main point, as made before, is to upgrade your Mac OSX to the current version so you can't have the vulnerablility put you at risk. Given the rise in Mac OS attacks in the last year, it's only a matter of time until a really nasty one that can exploit older versions shows up.

The first part of the article calls out the threat to most of our routers at our homes. See the bolded statement below for the need to likely update our home routers.

"Operating systems: Most major Linux- or Unix-based operating systems, such as Red Hat (blog post) and Ubuntu (post) already have patches for the initial bug. Many of those patches are listed on the National Institute of Standards and Technology’s National Vulnerability Database website. (See, for example, CVE-2014-6271.)
Unfortunately, many of those initial updates didn’t cover a secondary bug — CVE-2014-7169 — also being tracked at the NIST site.

If you’re running any Linux distribution, there’s a command you can enter to check whether your system is running Bash by default and thus is vulnerable. As noted in a Bobcares blog, enter the following at the command prompt:

# env x=’() { :;}; echo Server is vulnerable’ bash -c “echo”

If command returns a “Server is vulnerable” message, be forewarned.

"Apple devices: Continuing my survey of personal Linux/Unix devices threatened by Shellshock, I considered my Apple MacBook notebook and my iPhone. An Apple Support forum post has a long and fairly technical discussion about Bash vulnerabilities in OS X. Simply put, if you're not using an Apple system as an Internet server — i.e., you're not giving direct, remote access to the system — you're not vulnerable to Shellshock.
That said, Apple has already released OS X Bash Update 1.0, according to a company support page. The patch applies to Lion v10.7.5, Lion Server v10.7.5, Mountain Lion v10.8.5, and Mavericks v10.9.5.

Keep in mind that any prior version of OS up to and including Snow Leopard will not get updates and will remain vulnerable. But again, that's only if you've set up the machine as a webserver or have enabled additional Unix capabilities.

Firewalls and routers: As noted in a 2012 SANS Institute white paper, "Exploiting embedded devices," the vast majority of home routers run BusyBox for their Unix tools. That makes those devices safe from the Bash bug.

However, that's not the case for some small-business firewalls provided by Cisco. The company has documented which devices are vulnerable to the Bash bug.

Androids: For consumers, there's more good news. Android devices ship with a variation of the Almquist shell (more info) — another form of Unix that's not threatened by Shellshock. Which means anyone using an Android phone or tablet is not at risk. (That's good, because Android operating systems are customized by device manufacturers; you can't simply go to Google's site to download a universal update.)"