Once again, this is a security centric note with a major security issue in core Linux functionality and a follow up on Error 53.

More old security issues found

Once again a major security issue was discovered in a core Linux functionality, this time in glibc. glibc is a core part of Linux, as not only are its libraries used everywhere they are also compiled into many of the core applications such as ssh, sudo, and curl. All tools that many people (myself included) use on a daily basis. The bug that cropped up is that part of this code has a buffer overflow problem that potentially allows remote code execution.

Like a lot of the major open source vulnerabilities¹ in the past few years, this bug wasn’t introduced recently but has been around for 8 years. It seems to have gone undetected until recently several groups discovered it around the same time. Luckily, these people (working for Google or Red Hat) are all good people and they diligently worked together with the maintainers to build a fix before the bug was disclosed publicly.

While I’m very happy to hear that a major vulnerability was fixed (but please make sure to update your servers and anything that uses glibc), I obviously don’t like that it was there in the first place. A lot of this kind of software, that a lot of servers depend on, is the work of volunteers and can become difficult to understand due to the complexity of the code. Because of this, there often aren’t a lot of people able and willing to look into it so it’s more likely that bugs crop up.

Don’t get me wrong, I think that the open source model for software is great² and the people doing all of this work are doing an amazing job. I just don’t like that far too often, until something happens, they don’t have as much support as they should have. Unfortunately, I don’t really have any good ideas for how to solve that either.

Error 53 resolved

An update on the Error 53 problem came through. I spoke of this at length a couple weeks ago due to how it bricked phones that had 3rd party repairs. As it turns out, my point that this was a security measure gone wrong was incorrect.

Last week, Apple released a fix for this problem, apologized to their users, and offered refunds for anyone who had to buy a replacement unit because of it. According to the TechCrunch article Apple said³ that this was intended as part of their factory tests to ensure no broken phones are delivered to their customers. As the error only occurs when installing an OS update over a wire that actually makes sense. Of particular note however is that while it wasn’t intended as a security measure, the fix does disable TouchID just as I⁴ proposed as the desired security solution when I wrote about this.

Now that this has been cleared up and resolved, we can focus completely on that other controversy with the company.

New iTerm 2 beta

If you’re using iTerm 2, you might have gotten a popup telling you about the beta for the upcoming release. Having played around with it a bit, I can tell you that it has some really great features. The shell integration for one is simply amazing.

I personally love that using automatic profile switching I can now more easily see based on the way iTerm looks what kind of server I’m logged into and if I’m running as root. Even if you’re not interested in running the beta, I recommend at least looking at the change list so you’ll know what you will be able to do with it once it’s released.

To give credit where it’s due, some of the new features are things you’ve long been able to do with tmux but I personally never really liked using tmux despite it’s power. This gives me a lot of that power, but in a way that I am more comfortable using.