Friday, September 26, 2014

BAD iOS 8

Greetings:

I received this from Chelanie Israel this morning.  If you are running a recent iPhone and want to upgrade to iOS 8 - OR - if you updated to iOS8 already, PLEASE read the following message (onlhy slightly edited for content and space).

===================================
iOS UPATE:  The update (8.02) to the bad code was released Thursday night (9/25/14) about 10 pm. I have tested the new update and we are ready to update iOS devices (iPads and iPhones) from 8.0 to 8.02 or you can move from 7 to 8.02 safely. Please do so as quickly as you can.

FYI: The original code that was effected was 8.01. It was released Thursday morning (9/25/14) at 6:00 am CST and pulled from the Apple servers at 9:00 am CST.

On the same note there is a vulnerability that was found early yesterday and confirmed all
  • Linux
  • BSD
  • MacOS
  • iOS if Jailbroken
  • Android with bash services turned on
  • Windows machines running IISS (server software).

If you haven’t upgraded to iOS 8.02, please do so as this will protect your iPads and iPhones (which are not suppose to be effected, but this is something that is being suggested by Apple), if you have a jailbroken phone, you will need to restore your iPhone to factory settings until they can fix the cydia breakpoint.

All versions of MacOS are vulnerable at this point. I have a call with Apple this morning (9/26/14) to find out if they will have a software update today.  So far, nothing.  I will be updating both of my servers this evening.

All versions of Mac OS Computers have the Shellshock vulnerability. However, some are more susceptible than others. To be completely safe you will need to update your bash (part of your command line from the BSD which is part of your operating system) from 3.2.51 to 3.2.53. This is done via one of two ways:

1. You can manually update the machine through the terminal
2. You can use the software update to do the update when it is available.  It looks as though this will be sometime within the next week.

Most personal machines are not vulnerable to Shellshock as someone would have to crack the firewall or router to which you are connected, to access your machine.  If you are only accessing the internet via your home or office network, then you have reasonable safety.  If you have a double firewall, again you have reasonable safety, but your machine is still vulnerable to Shellshock.

You can also make sure that Sharing, Remote Login and Remote Management are turned off. Although this helps, this does not fix the vulnerability to Shellshock.

The reason you may want to update manually is because your machine either sits on the web for people to access (i.e. servers) or you travel and use public WiFi (i.e. hotels, McDonald's, Starbucks, etc) often. If you are using a private MiFi device, that is not a public WiFi.

What is Shellshock? It is a vulnerability or hole in the code that allows someone to take over your computer without you giving them permission. It is definitely something that needs to be protected from.

______________________________________
Chelanie Israel aka Miss Mac

email:    chelanie@missmac.ch • missmac@mac.com
web:    http://www.designbymissmac.com
blog:    http://www.dearmissmac.com
twitter:     MissMacsMuses
                c: 214.718.1967  • f: 469.327.0843

======================================
Later on Chelanie sent this out:

From a terminal window:

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0   
$ # Note: The bash23-053 patch does not apply cleanly on OSX because
$ # of a missing y.tab.c file. This can be ignored or the alblue
$ # one used instead. Upstream commits the y.tab.c file so doesn't
$ # have that problem.
$ # Not-yet-released-patch - replace alblue.bandlem.com line with:
$ # curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0 
$ curl http://alblue.bandlem.com/bash32-053.patch | patch -p0
$ cd ..
$ sudo xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.53(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.53(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

To verify it worked:

$ bash --version

Source: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an


======================================

Here is a link to an InfoWorld article on Shellshock:

http://www.infoworld.com/article/2687975/security/four-no-bull-facts-to-know-about-the-shellshock-bash-bug.html

 I hope this helps some of you.  If not, contact Apple Support - if you can get through their clogged telephone lines right now.  And, as normal, it is a crisis with the weekend coming up.

Shalom
Ya'akov

No comments: