- Joined
- May 10, 2012
- Messages
- 33
- Reaction score
- 1
- Points
- 8
- Your Mac's Specs
- A few, ranging from an SE/30 to a recent MacBook Pro. Also, a Newton MP130, and some SGIs for kicks.
I read that article, too, before I made my original post, as well as the original Intego blog post that the MacWorld article got its information from. I've also spent some time in IRC chats and other dark corners of the net where this stuff gets discussed at a deeper level of detail. The MacWorld article somewhat oversimplified the Intego article's conclusions, and the Intego article hinted at other, more subtle exploits. The most publicized means of exploitation may, indeed, be "edge cases" (though "edge" may still impact a lot of people, even if it is nowhere near a majority of the millions of Mac users), but that does not preclude less well publicized cases that are actively being explored and that may go beyond the "edge." Given the centrality of bash to MacOS and other systems, and the ease of gaining control of a system if an unpatched bash can be accessed, there is a lot of credible discussion on ways to get to bash through indirect means. Bash is the focus of some serious attention right now.
In any case, I'm not an "Oh noes! The sky is falling!" kind of guy. I've been working with Macs since 1984, and I've been securing high-value international IT environments for a couple of decades. (Yes, I know that you've been around the block a few times, too.)
In my original message, my main comment was over Apple's spokesperson unnecessarily overstating the inherent security of MacOS, which would only embarrass the company if a more generalized way of exploiting the vulnerability was later discovered. (Again, keep in mind: since the original discovery of the vulnerability, at least two new ways of exploiting it have been found, with each requiring a different fix to the bash source code. This has been a rapidly developing situation, and it is difficult to say that we know all the complexities that are out there.) It's simply amateur-level PR, and Apple is better than that. Outside of the marketing world, there is no such thing as a "secure by default" computer. There is only more secure or less secure.
I don't mind saying that it may be nearly impossible to access bash remotely on a Mavericks machine fresh out of the box. It's hard to say, however, how hard or easy it is to do so once third party software is installed, especially in an age when software routinely phones home to check for updates, etc. Vulnerability is not simply a question of "bash," it's a question of the whole system, as it is used in the real world.
I'm less comfortable saying that it is nearly impossible to execute bash remotely on Snow Leopard (still ~20% or so of Macs in use, last I checked) or pre-Gatekeeper Lion, and I'm much less comfortable saying it about even older machines. Sure, those machines will have other vulnerabilities that need to be mitigated, but if you can get to a bash exec, that particular vulnerability is extremely easy to exploit in a generalizable way, so it's an attractive target.
In any case, it was good to see Apple respond unusually quickly in getting out a patch for 10.7-10.9. At least Apple's engineers seem to be taking this one seriously. I'll stand by my earlier advice: if you are running 104-10.6, give serious thought to installing TenFourFox's patch.
