Re: [lopsa-tech] OS X bash bug and non-techinical users

Thu, 25 Sep 2014 15:36:00 -0700 


On 09/25/2014 03:29 PM, Edward Ned Harvey (lopser) wrote:

From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org]
On Behalf Of Yves Dorfsman

What do you guys do for your OS X non-techincal users?

Give them instructions on how to update bash manually?
Give them instructions on how to close port 22 and 80 when using public wifi?

Anybody has any idea when Apple might release a proper patch?


My opinion:  The only way to exploit the bug is to *first* run some malicious 
code that would tweak your environment such that the bug is then being 
exploited.  In other words, this bug doesn't expose users to risk of simply 
browsing a malicious website accidentally and compromising your system; this 
bug is a trojan backdoor that needs to first execute some malicious code on 
your system in order to expose the backdoor.

Yes it's a bug to be taken seriously, no I don't recommend building your own 
patched bash.  For three reasons:

#1  Suppose you patch bash, and then apple releases an update.  What will be 
the behavior of their updater when it sees your nonstandard binary?  I have 
seen times when the updater would clobber a nonstandard file, and I've seen 
times when the updater refuses to operate because there's a nonstandard file 
sitting there.  I simply cannot say how apple's updater would behave in this 
specific scenario.

#2  Even if you patch it, I don't think they've released fully patched source 
code yet for bash.  They have instructions to build an updated bash, but it's 
still subject to another variant of the same bug.  I am reasonably certain that 
as soon as *fully* patched bash source code is available, apple will build it 
and distribute it.

#3  In order to exploit this bug, the attacker must execute some malicious code 
on your system *first*, or modify core system files on your system *first*.  If 
they can do that, they could exploit this bash backdoor, or any one of numerous 
other possible backdoors.


Yves,


A wonderful person created an OSX package with patched versions of Bash 
for 10.6 - 10.9.  You can get the package here:


http://blog.designed79.co.uk/?p=2000

cheers,

ski

--
"When we try to pick out anything by itself, we find it
  connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, s...@lopsa.org, 206-501-9803
or ski98033 on most IM services
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/






















					Reply via email to