![]() ![]() I wish all those developers and system administrators who now have to tackle the problems brought by Log4Shell success in the fortnight before Christmas. While the security of a language and its implementations are laudable goals, they’re no guarantee that what we do with them is in the least bit robust or secure. CYBERDUCK MAC SIERRA FREEBecause Log4j is open source and free to use, this vulnerability can extend to almost any hardware platform and operating system, in any product which uses Log4j as a convenient tool for logging.Īs others have pointed out, there’s an ultimate irony too, in that Log4j is implemented in Java, a language whose second goal is to be “robust and secure”. Had a similar vulnerability existed in the Unified Log, then its impact would have been limited to Apple computers and devices, and probably then only to macOS which exposes the log to users. It’s totally different from Log4j, though, and one fact Mac users can rely on is that Apple’s Unified Log doesn’t suffer from Log4Shell. CYBERDUCK MAC SIERRA CODEApple’s Unified Log is closed source commercial code which has had its fair share of problems since it was introduced in Sierra. The second lesson is that vulnerabilities in open source code are likely to have more widespread and devastating consequences, because they’re so widely used, particularly when in basic services such as logging. ![]() Just because a few billion people could read that source code doesn’t mean that serious vulnerabilities such as this will be detected before they appear in released products. But they will continue doing so, whether their source code is open to public view, or closed and proprietary. It appears to be the result of a design error which no good commercial engineering team should have ever perpetrated. As it happens, this glaring vulnerability which is so trivial to exploit came to light in Minecraft. As both are written by fallible humans, that’s a false assumption. CYBERDUCK MAC SIERRA SOFTWAREOn many occasions, those writing comments here castigating Apple for vulnerabilities and other bugs have insisted that using open source rather than proprietary software is a solution. I offer two lessons which we all need to learn, whether we operate global network services or just a battered old Mac.įirst is that open source is no protection from vulnerabilities. No doubt there’ll be plenty of post mortem analyses written about this in due course. If you’re concerned that a service you operate or control is still vulnerable, the Appendix at the end of this article contains some tips and links. It also doesn’t appear to have affected macOS or other direct connections. Although researchers were able to demonstrate the vulnerability when connecting to iCloud through the web on 9 and 10 December, by 11th that no longer worked. As these services are often embedded in other systems and services, it may be months before everything is properly patched.Īs you’d both hope and expect, iCloud was fixed quickly. Almost every external service that your Mac connects to, though, has had to undergo very fast patching, and smaller services may well continue using the vulnerable logging system for weeks before anyone realises there’s a problem. Unless you run services on your Mac which use Log4j for logging, and those are exposed to incoming Internet connections, this has no direct consequences to Mac users. Essentially, all the attacker has to do is send a request along the lines ofįor the payload file to be executed in the context of the server’s Log4j logging system. ![]() For inside many web services there’s a logging system known as Log4j or Java Log 4j, which could be exploited trivially from any browser.Īll those services – including iCloud, Steam, Twitter, CloudFlare, Amazon, Tesla, Google, LinkedIn, and Minecraft – were wide open to malformed requests using the Java Naming and Directory Interface, or JNDI. But last week that new zero-day vulnerability set most of the servers around the world alight. ![]() Unless you administer Internet services, from a basic web app up to vast systems like Twitter and iCloud, you could be forgiven for not recognising the name Log4Shell. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |