[kwlug-disc] NSS Vulnerability

B.S. bs27975 at yahoo.ca
Fri Sep 26 01:22:05 EDT 2014 

On Thu, 25 Sep 2014 19:20:19 -0400
Hubert Chathi <hubert at uhoreg.ca> wrote:

> On Thu, 25 Sep 2014 18:57:26 -0400, Keefer Rourke
> <keefer.rourke at gmail.com> said:
> 
> > I honestly appreciate the fuss though. If the media freaks out, at
> > least people will know about it and maybe consider updating their
> > systems more frequently.

Agreed. Or, leave the default on, automatically apply security updates.
(Checked once a day? I forget.)

> The problem is that if the general public gets overloaded with
> information about vulnerabilities, they'll get confused and won't know
> what to do about it all.

Not sure there's any 'overloading' involved there. If it's technical,
people tune out. Then run around like the sky is falling.

> It's fine for the technical press to be freaking out about bash,
> because that's who it affects, but the general press should be
> freaking out more about NSS, because NSS affects pretty much
> everyone.  As it is, right now, everyone is talking about bash, and
> hardly anyone is talking about NSS.

Don't understand why Mozilla is running anything called Network
Security, but never mind that. If I didn't know what NSS is, I can only
imagine the unvarnished media trying to make a viral soundbite out of
it.

At the least, to your point, the word should go out to make sure
auto-updates for browsers is left turned on, and to restart the browser.

Assuming those that 'know what they are doing' and have turned such off
are also smart enough to keep up with updates.

> For example, I don't understand why people care about bash on MacOS X
> being vulnerable.  It's true that it needs to be fixed, but it doesn't
> affect 99% of the Mac users out there, because they don't run any
> publicly available services that would be affected.

Not sure that's entirely true - a little bit of malware sucked down
however has the possibility of starting a root shell on one's own
Mac, leading to other nefarious things. (?)

One blurb I saw today said it's not just a matter of penetrating a
firewall first, most places (they said) are already penetrated, with
latent botnets sitting there. Send the botnet the bash malscript and
they're off to the races.

- they also raised the bugaboo of files not deleted but subtly modified
  in ways that may not be apparent for months.

Wonderful, thanks so very much for that, media. (Like that issue isn't
present in every vulnerability. Why no - special today only!)


As for my earlier message (restarting), thanks all for the reality
checks. I was only thinking about updating in use bash at the time.
Wasn't yet at the level of "it don't matter if your firewall ain't open". Let alone internal vs external commands like most every other
command / shell in existence. D'OH! (So thanks to those posters.)

More information about the kwlug-disc mailing list