Friday, September 26, 2014

FIX your BASH already! Correcting the BASH shellshock vulnerability

By now you've heard that just about every 'Nix box on the planet is vulnerable to a flaw in the BASH shell that allows code insertion regardless of your level of access.  Worse, it's been that way for 25 years!

Ok, so that's a problem but what's the solution?

It's actually pretty simple...

First you test, then you patch, then you test again.  I've provided some command line snippets you can use on your Red Hat or Debian based Linux distros.  The testing command is almost universal the patch commands are more system specific.  Regardless, you need to get this done ASAP as less than 24 hours after its discovery there were already active bots scanning the net looking to exploit the vulnerability.

The command snippets you need are below as well as a video showing the update process.  The following link had the most complete information I've found if you want to know more.

https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability

You've got what you need, now go to it!



()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()

Testing command (at a shell prompt or terminal session)

env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"


Bash updates:

Debian/Ubuntu-

sudo apt-get update && sudo apt-get install --only-upgrade bash

CentOS/Red Hat

sudo yum update bash



Wednesday, August 20, 2014

Microsoft's Bloody Tuesday

Originally published on Kupeesh as Fear and Loathing of a Microsoft Patch



Poor Microsoft, it's been a tough couple of years for the software giant as it's gone through management upheavals, a failed operating system and a lackluster foray into the mobile market.

It seems they just can't catch a break...

That doesn't preclude them, however, from breaking things.

Case in point.  Last week's round of "Patch Tuesday" updates was filled to the brim with security and operating system fixes that millions of Windows PC's dutifully installed via automatic updates.

Normally keeping an operating system up to date is a good idea if you want to keep the bad guys out of your stuff.  But what do you do when the supposed good guys blow up your computer?

That's a question thousands of Windows users are asking as they now find themselves between the rock of Internet security threats and the hard place of a botched update.  

Even longtime Microsoft watchers like Paul Thurott (Windows Weekly, Winsupersite) can only answer with, "That's a tough one."

The patch causing so much trouble is a seemingly innocuous update to the Russian Ruble currency symbol in the windows font library (KB 2970228).  Apparently some users are experiencing everything from screwed up fonts to Blue Screens of Death (BSOD) after its installation.  As a workaround Microsoft is currently advising users to remove it and 3 other updates (KB2982791,KB2975719,KB2975331) that contain the offending code.  In addition, the download description pages for the affected update patches have had their download links removed while Microsoft, "investigates the issue."

Windows 7 and 8 are arguably the most robust operating systems Microsoft has ever produced.  So the return of the BSOD nemesis from the days of Windows XP is going to raise some eyebrows.  BSOD's only arise when a core operating system function has failed beyond recovery.  

That's something we thought we left behind when the house of cards that was Windows XP finally shuffled off the stage.  So with so much progress, how could Microsoft allow an obviously unvetted update to be distributed on platforms from Server 2003 to Windows 8.1.

Yes I know, Microsoft, unlike Apple, doesn't control every variant of hardware that runs their software.  But it's for exactly that reason that one would think their update policy would err on the side of caution.  That goes double in a week that also saw major outages of the company's Azure cloud services.

Instead Microsoft seems bent on releasing new products (patches included) like automakers release new cars.  But operating systems aren't Chevy's and rushing new products to market always leaves something to be desired.  Just ask GM about taking shortcuts in a process for proof.

So what's the answer when a strategy of "rapid release" seems to rule the day.  Unfortunately it's "Caveat Emptor," Buyer Beware.  Microsoft appears committed to shooting out software patches and asking questions later.  So for now, you may just want to switch those automatic updates to "manual" and wait a week after Patch Tuesday to install those non-critical updates.


In this case the cure was worse than the disease.