HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
It is important to note that this report "estimates" that attacks "could be as high as one billion."
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
'Shellshock' Attacks Could Already Top 1 Billion
- Thread starter HardOCP News
- Start date
Pieter3dnow
Supreme [H]ardness
- Joined
- Jul 29, 2009
- Messages
- 6,784
http://www.draytek.com/index.php?op...ellshock-bug&catid=13:news&Itemid=182&lang=en
Seems it is safe to use Draytek
Seems it is safe to use Draytek
Apple has released hotfix-style patches that cover two of the three vulnerabilities in its version of bash; they fix CVE-2014-7169 and CVE-2014-6271, but not CVE-2014-7186, which is probably why they haven't been pushed to Software Update yet. Apple states that "With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced Unix services." If you need them, here's the patches for OS X Lion (10.7), OS X Mountain Lion (10.8), and OS X Mavericks (10.9).
I just updated my synology 713 nas with the bash patch.
https://www.synology.com/en-us/releaseNote/DS713+
Fixed Issues:
Fixed a potential risk on Bash command shell (CVE-2014-6271 and CVE-2014-7169)
https://www.synology.com/en-us/releaseNote/DS713+
Fixed Issues:
Fixed a potential risk on Bash command shell (CVE-2014-6271 and CVE-2014-7169)
I see what you did there.
PornoSatan
2[H]4U
- Joined
- Sep 3, 2004
- Messages
- 3,493
The disturbing part about all of this is that the vulnerability has existed since around 1992.
This isn't why you don't use bash. You didn't even know about the bug until everyone else was informed about it.
This isn't why you don't use bash. You didn't even know about the bug until everyone else was informed about it.
CreepyUncleGoogle
Supreme [H]ardness
- Joined
- Mar 10, 2013
- Messages
- 6,871
The software updater in Mint was like, so all over this. As each CVE was published, there was a fix available pretty much within a few hours that got installed. I didn't have to wait around for update Tuesday for my laptop to not be exploitable.
The updater on my Ubuntu Plex server was broken, so I install Mint this AM and ran updates. After a few minutes I say it runs better than Ubuntu already. Other than the dash, I don't miss it. The box is barely up to the task of being a Plex Server so I put on Xfce(?) for the interface which I believe is generally light weight. Its fine.
I've known Bash was a buggy, NIH'ed mess since well before this vulnerability.
CreepyUncleGoogle
Supreme [H]ardness
- Joined
- Mar 10, 2013
- Messages
- 6,871
That's awesome to hear! I haven't really done much of anything with Ubuntu lately. I tried 12.0.4.4 on a netbook with an Atom n270 and it felt pretty slow so it wasn't installed for more than a few hours before I messed with other stuff. Mint 17 with Cinnamon seems more usable on the same lame-o hardware.
I haven't tried the Xfce build yet, but maybe I should look at it more closely.
Red Falcon
[H]ard DCOTM December 2023
- Joined
- May 7, 2007
- Messages
- 12,445
Sp33dFr33k
2[H]4U
- Joined
- Apr 20, 2002
- Messages
- 2,481
I can see ASUS issuing a patch if their routers are vulnerable, I seriously doubt Linksys/Cisco and Dlink will bother. They'll just release new models with the patch pre-installed and expect everyone to buy them and toss the old one.
Its like saying the AMC Javelin is a safer car than a Chevy Camaro due to traffic stats.
The "safer" aspect is due more to obscurity then actual safety.
ASUS routers do not use bash, nor does it even use bash's ancenstor sh (which may or may not be vulnerable).
"The Asuswrt shell is called 'ash', and is provided by Busybox. The sh symlink is merely for convenience/compatibility, and probably carries no direct code relation to neither bash nor sh." - RMerlin, who writes the Asuswrt-Merlin alternative firmware
http://forums.smallnetbuilder.com/showthread.php?t=19718
Addendum to my previous post: no version of ASUS firmware or Asuswrt-Merlin firmware is vulnerable because they don't use bash.
It is possible to make your ASUS router be vulnerable by installing bash after using other firmwares like optware. Hopefully, if you're advanced enough to have done this, you'll be advanced enough to know that you need to fix the problem and how to do so.
It is possible to make your ASUS router be vulnerable by installing bash after using other firmwares like optware. Hopefully, if you're advanced enough to have done this, you'll be advanced enough to know that you need to fix the problem and how to do so.
westrock2000
[H]F Junkie
- Joined
- Jun 3, 2005
- Messages
- 9,433
Linux and Unix are easily *hackable* if you leave doors open, and there are plenty to leave open. But at the same time closing those doors makes for a VERY robust system.
While I use Windows daily, there are several major functionalities that are missing from Windows that are in Linux/UNIX.
I know you are just trolling but there are a few reasons for the wait. First off for something major they release patches out of the normal cycle so you would get them sooner than the next update Tuesday. However it probably would be longer out than a few days. The reason is that they actually have to care about breaking stuff. When it comes to Linux you don't have as much stuff to worry about breaking as there aren't as many different programs running on it and the ones that are running if a patch breaks something that is your problem. About the same with Apple, if something breaks opps. we will fix that next time. If Microsoft breaks something there is a much larger impact. So they actually have to test their patches and test them well. Test it against different hardware platforms, different versions of windows, against different versions of software... They then sent it out to a few beta sites make sure they can run the patch in the wild without issue then they release it to everyone else.
One of the few times they actually released a next day patch it was found that whatever was patched was being used by realtek to a degree with their network drivers. caused a lot of computer to no longer be able to get on the network without you making a few small changes to the driver. that caused a massive issue. Similar thing have happen when they have made changes before being able to let AV companies update their definitions for the coming change and suddenly McAfee or Norton are deleting important OS files because it thinks they are infected due to having changed.
So Microsoft has to be a little more careful in their updating than Linux or Apple.
CreepyUncleGoogle
Supreme [H]ardness
- Joined
- Mar 10, 2013
- Messages
- 6,871
Trolling? Howso?
It's true that there were very fast (like literally within hours) patches released to fix Bash problems as the CVEs were being published and they made it to my Mint laptop like right away. It's also true that Microsoft releases patches on a schedule with them being on the 1st(?..maybe second) Tuesday of the month which means waiting until that day for updates. It's not trolling to like state reality.
I didn't make any claims about software testing or not testing. I didn't mention Apple's update policy. I didn't mention things being broken or not by updates. If you wanna find weird stuff between the lines that isn't there to get upset about, that's a lot more like you trolling yourself than me forcing you to feel or think something. I don't get why people are so sensitive about software sometimes.
It's true that there were very fast (like literally within hours) patches released to fix Bash problems as the CVEs were being published and they made it to my Mint laptop like right away. It's also true that Microsoft releases patches on a schedule with them being on the 1st(?..maybe second) Tuesday of the month which means waiting until that day for updates. It's not trolling to like state reality.
I didn't make any claims about software testing or not testing. I didn't mention Apple's update policy. I didn't mention things being broken or not by updates. If you wanna find weird stuff between the lines that isn't there to get upset about, that's a lot more like you trolling yourself than me forcing you to feel or think something.
I don't get why people are so sensitive about software sometimes.You guys really need to stop "bashing" Linux.
I stopped caring about what goes on in the majority of Linux distros after they became Poetterrix. There is a small but very influential group of people (e.g. Lennart Poettering, GNOME, Red Hat) who are determined to turn Linux into Windows complete with bloated crapware like SystemD and Pulseaudio. The only Linux distros left that are worth bothering with are Slackware and Gentoo, and, given the choice, I still prefer BSD.
The only reason people still use Bash is because too many idiots think that /bin/sh = /bin/bash and so they design their crapware to require it. I do not have bash installed on any of my *BSD installs and I refuse to install any program that requires it.