For our Linux users:

theoldghost · September 25, 2014, 2:56am

IkariShinji · September 25, 2014, 2:59am

… and Mac users also, it seems.

theoldghost · September 25, 2014, 3:33am

Thanks I missed that in my initial scan of the article. I might have been a little shell shocked that this time it wasn’t us Windows users.

YAFU · September 25, 2014, 4:11am

“Heartbleed,” discovered in April…

http://www.google.com/search?q="Heartbleed"+"openssl"+"fixed"

A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed (wikipedia)

Whenever Microsoft is releasing a new version of Windows, this kind of news is disseminated [end my paranoid mode]

So if this is true, the problem will be solved very fast.
Thanks for the warning…

Edit:
Well, today most Linux distributions updated Bash and the problem is apparently solved.

organic · September 25, 2014, 1:35pm

I read about this in the news this morning, and just as I started testing whether my system was vulnerable, the updates arrived

However, we still have this issue where the world seems to rely on free software developed by very small teams, for it’s security. Someone will have to update an awful lot of servers.

theoldghost · September 26, 2014, 10:20am

@organic you are absolutely right. And, just this morning in the New York Times was the discovery of another weakness in open source written so long ago that for twenty two years it has laid servers open to a complete takeover. And, before someone takes issue with my wording I’m not a tech type. Apparently companies jumped on open source code many years ago and built on that. So here was one guy in his free time attempting to maintain this code but regardless it was now integrated into their system.

YAFU · September 26, 2014, 11:30am

I’m really surprised at how Open Source is attacked when only a few security holes are detected per year, compared to many more security holes in the closed source software.
You just look on google about security holes that are found per year in Windows or any of its components, such as Internet Explorer. Also in many closed source software such as Adobe Flash Player.

This just talking about security holes, not counting the thousands of dangerous malwares.

Ace_Dragon · September 26, 2014, 12:03pm

It may not just be the number of security holes so much as opposed to the total severity of them and just how much opportunity they allow for a would be cyber-criminal (like how much damage they can do to the finances of large companies or an entire country’s economy).

As far as I know, heartbleed was a pretty big whopper of a security hole that could’ve opened the floodgates for a major uptick in cyber crime. I know that some FOSS defenders will try to play the hypocrisy or conspiracy card when possible because they don’t want to believe that anything in open source is badly done or falls short of closed source solutions.

kbot · September 26, 2014, 11:20pm

Correcto mundo! it’s the defienate secuirety holes that make it servire. All the opportunity for the cyber criminal. Or Kriminal in some kontect.

theoldghost · September 27, 2014, 5:05am

Apple has taken note evidently.

HansJakob · September 27, 2014, 6:47am

Now to track illegal hackers, hunt them down, confiscate their computers and have them pay million dollars.

Blonder · September 28, 2014, 12:02am

This is hard problem to fix. It’s not likely to be a quick patch and on to something else kind of a problem. From what I gather it’s a serious logic problem that might take some rewriting.

sdfgeoff · September 28, 2014, 1:25am

Well, for those of us running Arch on our servers:

pacman -Syu

Done, patched, fixed.

The problem is not all systems use the rolling-release model, particularly not stable systems like webservers. If you browse the right sort of forum you can find posts where people are like “Well, we’ve fixed it on our laptops and home computers, but to fix it on all our webservers? Going to take a long time for it to filter down from upstream”

Here’s the thing about security holes:

There are an infinite number of them. In 30 years, we will look back and say “How insecure there systems were,” but at the time, they were good enough because no-one had come up with the exploits. So yes, this is a glaring hole, but it took hackers how many years to find it? A lot longer than hearbleed. So in some sense, it is a smaller hole, or at least a harder one to find, than heartbleed.

But yeah, this is a simple, easy to use/understand hold. I give it a week or two before someone writes a nice little virus that uses this. Hang, if I had the time these days I’d be tempted to reincarnate creeper, a non-destructive virus that jumps to a computer, displays “I’m the creeper, catch me,” then transfers itself to a new machine, removing itself from the old one.

For Reference:
I much prefer actual technical details to these media waffles, so here are some nice quotes I found:
Source

The announcement of CVE-2014-6271 was made at 2014-09-24 14:00 UTC. Two minutes and five seconds later, the fix was committed to the Arch Linux [testing] repository, where it was tested for a solid 25 minutes before releasing into our main repositories.

A later bug was discovered that bypassed this first patch, then.

About 36 hours after the first bug fix, packages were released for Arch Linux that fixed the second CVE and included the hardening patch (which upstream appears to be adopting with minor changes). There were also two other more minor issues found during all of this that were fixed as well – CVE-2014-7186 and CVE-2014-7187.

Try to beat 36 hours to a rollout of a complete fix.

Then there’s good-ol superuser.com with the information to update old servers

The problem will be in those several million IP cameras, smart fridges etc that don’t have any patch/upgrade functionality. How long till there’s a virus that makes your fridge thinks it’s always out of cheese?