Apple ships OS X 10.8.5 security update – fixes “sudo” bug at last
‘m calling it a security update, though it’s officially a full-on point release of OS X Mountain Lion, taking the 10.8 variant of Apple’s OS X to version 10.8.5.
But with twice as many security fixes listed as regular bug fixes and improvements, I’m happy to call it a “security update,” if only in the hope you’ll feel a bit more urgency about deploying it.
There are 15 official security patches, one fix that Apple has appended to the list without explicitly admitting that it was a security issue, and one bonus patch that is mentioned on Apple’s website but not in its emailed security advisory.
I’ll start with the free bonus patch, because I’m delighted it’s happened and I think you should know about it.
The infamous sudo privilege escalation, documented and patched by sudo itself back in February and pointedly exposed on OS X by Metasploit last month, is no more.
Confusingly, if you run sudo -V to check the version number, you might get the impression it hasn’t been updated, since 1.7.4p6a has the same core version string as the version shipped with 10.8.4 (1.7.4p6).
Nevertheless, the sudo binary has been updated, and in my tests, the privilege escalation bug had vanished.
Until 10.8.4, doing a sudo -k (which is supposed to deauthenticate you, and thus does not require a password), followed by setting the time to just after midnight on 01 Jan 1970, would give you root access.
In 10.8.5, it does not.
Presumably, Apple yielded to public pressure to fix this long-running hole, but, instead of taking all the sudo changes from the past few months, just backported the sudo -k fix to version 1.7.4p6, a much less risky change.
Moving up the list, the not-a-security-fix I mentioned above is included, almost as an afterthought, as follows:
Read more here.
14 NASA Sites Hacked
An interesting article by by Lisa Vaas of NakedSecurity.
As of Friday afternoon, a notice on NASA’s kepler.arc.nasa.gov website was reading “Down for Maintenance: The requested webpage is down for maintenance. Please try again later.”
The site is only one of what appear to be 14 hacked subdomains, hosted in the heart of Silicon Valley, that were defaced on Tuesday and stayed offline for some time. Pastebin has listed the URLs here.
According to CWZ: Cybercrime Revealed, a hacker/hackers using the handle BMPoC posted a deface page along with a message on all the hacked websites that linked the attack to possible US military intervention in Syria, as well as to US spying on Brazil.
The message:
NASA HACKED! BY #BMPoCWe! Stop spy on us! The Brazilian population do not support your attitude! The Illuminati are now visibly acting!
Obama heartless! Inhumane! you have no family? the point in the entire global population is supporting you. NOBODY! We do not want war, we want peace!!! Do not attack the Syrians
The hacker is apparently the same one who took down four NASA domains in April 2013, according to Hack Read.
A NASA spokesman told FoxNews.com that the space agency’s IT staff are now investigating, but that nothing major had been compromised:
On Sept. 10, 2013, a Brazilian hacker group posted a political message on a number of NASA websites. ... Within hours of the initial posting, information technology staff at the Ames Research Center discovered the message and immediately started an investigation, which is ongoing. At no point were any of the agency’s primary websites, missions or classified systems compromised.
The hacked sites housed information on the Kepler space telescope, planetary exploration, the moon and more, all run out of the organisation’s Ames Research Center.
Read there rest here.
[FREE] Download Advanced Persistent Threat Protection FOR DUMMIES
Complete the form on their site and get a free copy of Advanced Persistent Threat Protection FOR DUMMIES
You will learn how:
- To protect your information
- To recognize when a threat is present
- To rid yourself of detected threats
- APT protection solutions work
Download the eBook here
Sam from HackersforCharity.org Tell us about “School in a Box”
SecurityOrb.com contributer Hans Bosch (@Hans_Bosch) asked Sam of Hackers for Charity about “the cute little yellow device” which is called “School in a Box”.
“School in the Box” is an all in one device with a Raspberry Pi, LiPo battery, solar charge controller, and power mode controller located in a Pelican case that allows for students with limited Internet connectivity access to information such as Khan Academy videos, Project Gutenberg books, a subset of Wikipedia, and much more.
For more information contact @ihackcharities on Twitter.
9 Tips for Keeping Your Internet Usage Private [Infographic]
An interesting INFOGRAPHIC from WhoIsHostingThis.com:
The loss of privacy in the golden age of the Internet has quickly gone from troubling possibility to uncomfortable reality. Ours is a world immersed in information, and oversharing has become the rule, rather than the exception.
Every single minute, 639,800 gigabytes of information is transmitted around the ‘Net: 47,000 apps are downloaded, Google handles more than two million searches, and 100,000 bon mots, adverts, and assorted logorrhea appear on Twitter in the form of tweets. The information superhighway’s expanding exponentially, and new batches of data are ready to go tearing down the lanes as soon as they’re laid.
Read the rest here:
![9 Tips for Keeping Your Internet Usage Private [Infographic] by Who Is Hosting This: The Blog](https://i0.wp.com/www.whoishostingthis.com/blog/wp-content/uploads/2013/07/9-Tips-For-Internet-Privacy-branded.jpg?w=1500)
Hacker cracks Vodafone Germany servers and steals data of 2 million users
Interesting article taken from our content partners at HackersNewsBulletin.com:
Today, a hacker attacked Vodafone Germany server and allegedly stolen the personal data of about 2 million customers, Police suspect that a contracted IT specialist carried out the attack.
According to the news out in media, hacker has stolen:
- Name
- Address
- Bank Account Numbers
Official say, the data stolen by hacker is not usable but ”It is hardly possible to use the data to get directly access to the bank accounts of those affected,” Vodafone said in a statement.
Read the rest here.
