“Shell Shock” Exploit — Probably Not a Worry For OS X Users

We’ve been hearing a lot about a very serious exploit in a universally-deployed piece of software, the “Shell Shock” bug in the bash shell. I got an alert late yesterday evening, and immediately upgraded the software on my publicly-facing servers.

There’s been some discussion of whether or not it’s an issue for OS X, and some debate over whether it’s a significant exposure on that platform. I didn’t think it was, but I haven’t seen an update for OS X Server to patch it, for example.

My own version of bash is managed through Homebrew, so rather than the stock 3.2, I’m running a newly patched and up-to-date v4.3.25(1). However, I got curious, so I decided to check the stock OS X version of bash for this exploit, and here’s what I found:

TerminalScreenSnapz002

So, the (rather antiquated) OS X version of bash, which has a “modified” date of May 10, has already been patched to disallow this hack, or so it would appear.

UPDATE: Apple’s given a statement on iMore that OS X users should not be at risk from the “Shell Shock” exploit unless they have “advanced UNIX services configured”. I’m not sure which specific “advanced UNIX services” they’re referring to — at a guess, “Web Sharing”, which I don’t do, seems a likely suspect — but that may be the explanation for the commenters reporting vulnerability and me not seeing it on my system (either in /bin/bash or in /bin/sh)…

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

UPDATE, 2014-10-01: Apple has put out a patch for OS X systems.

Installing the Scratch 2.0 Editor on Linux Mint 17

I want to be able to have kids to Scratch programming without an Internet connection on an open source desktop distro, in spite of Adobe AIR no longer being actively supported on Linux.

This turns out to be not too challenging. First, get the AIR installer:

$ wget http://airdownload.adobe.com/air/lin/download/latest/AdobeAIRInstaller.bin

Make it executable.

$ sudo chmod +x AdobeAIRInstaller.bin

The AIR installer will complain that it can’t find the GNOME Keychain libraries where it expects to, so let’s set up symlinks for those (this is for a 64-bit system):

$ sudo ln -s /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.0 /usr/lib/libgnome-keyring.so.0
$ sudo ln -s /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.0.2.0 /usr/lib/libgnome-keyring.so.0.2.0

Now, we can run the AIR installer.

$ sudo ./AdobeAIRInstaller.bin

Next, browse to http://scratch.mit.edu/scratch2download and grab the Linux version of Scratch.air. If your browser doesn’t offer to open it with the Adobe Air Installer application when it’s been downloaded, find the file, right-click on it, choose “Open with…”, browse to /usr/bin and select the Air Installer.

You should have a working version of the Scratch 2 Offline editor when the install has completed.

Saturday Linkfest

Work

Freelancers Union logo
A new survey conducted by the Freelancers’ Union has found that 53 million American workers, about one-third of the labor force, are freelancers. Get your own copy of the survey, or learn more about the Freelancers’ Union.

Want to participate in building a technological utopia for freelancers in whitest, coldest Canada?

Web Design & Technology


Rob McQueen and my friends over at Collabora have gone the extra mile to get us a high-quality browser for our Raspberry Pi systems! Thanks, guys!

Katherine Halek provides a good overview on the importance of establishing a coherent typographical hierarchy and ways to arrive at one.

Ever wanted your bicycle to sound like a galloping stallion? (You know you have.) Trotify — more than just “two halves of coconuts” — has the answer.

Web Designer Depot gives us a detailed walkthrough of the design effort involved in getting the Wired magazine web site to a responsive layout.

Use a Raspberry Pi to build an alarm clock that tells you what the weather is like and reads you the news.

Design

3035156-slide-s-20-moleskine-notebookstord-boontje
Moleskine has a show at the 2014 London Design Festival, and has enlisted the aid of a number of creative-types to destroy their notebooks in as artistic a fashion as possible. If the world isn’t the way you want to to be, change it.

Fast Company provides an excellent “oral history” of Apple’s design language from 1992 to 2013.

What’s designing a font from the ground up like? Steve Matteson tells us about it.

The Examined Life

practicalwisdom
Maria Popova reviews Barry Schwartz’s Practical Wisdom: The Right Way to Do the Right Thing over on Brain Pickings.

And even bears get philosophical.