Security Market Segment LS
Tuesday, 30 September 2014 11:30

Apple's bash update arrives


Good things come to those who wait: Apple has released an updated version of the bash shell software for OS X.

Earlier this month, Stephane Chazelas revealed a major flaw in bash, the shell software used in Linux and Unix-related systems, including OS X.

A shell processes commands, whether they are entered directly in a terminal program or contained in scripts.

The flaw, widely known as Shellshock, has been present for two decades.

In broad terms, Shellshock allows an attacker to trick bash into executing parts of strings as commands.

The US National Institute of Standards and Technology (NIST) assigned it the highest possible severity score of 10.0, because it is remotely exploitable, easy to access, no authentication is required, and it allows the unauthorised disclosure of information, unauthorised modification, and disruption of service.

A particular issue is that bash is thought to be present in a wide range of devices that use Linux such as routers and surveillance cameras. (That should not be interpreted as a blanket claim that all such devices are vulnerable, only that owners should ask the question of their vendors.)

In that regard, the main concern seems to be devices with a web interface that execute cgi (common gateway interface) scripts, as attackers can craft malicious URLs that exploit the bug on such devices, just as they can on regular web servers that use the vulnerable software.

Another part of the problem is that Shellshock is said to give attackers a way to reach other vulnerabilities that may be present in affected systems, for instance to gain higher privileges.

As previously reported, Apple did not release a patch in the same timeframe as Linux distributions did, but that patch has now arrived.

Page 2: Apple's update

Apple's bash update addresses both the original issue identified by Mr Chazelas and a related problem identified by Tavis Ormandy.

Curiously, Apple has not followed its usual practice for distributing security updates.

The bash update is not available via the Mac App Store; instead, users must manually download the patch corresponding to their version of the operating system from Apple's web site.

For the convenience of iTWire readers, here are the relevant links: Lion, Mountain Lion and Mavericks.

Given the age of the flaw, all earlier versions of OS X are also affected but Apple has not released corresponding updates for them.

This particularly affects people still using the Snow Leopard release, the last version of the operating system that supports PowerPC software.

If they don't want to go to the trouble of compiling a current version of bash from the source code, the TenFourFox project (a Mozilla-based browser for Power Macs) offers a prebuilt patched version for ease of installation.

That version apparently works on all versions of OS X up to and including Snow Leopard.

Work is still being carried out to fix related issues that have been uncovered in the 'official' version of bash, so it is possible that there will be at least one further update from Apple.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News