Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
- Subject: Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
- From: Taylor Armstrong - NOAA Affiliate <email@hidden>
- Date: Fri, 24 Oct 2014 08:52:39 -0400
At least in my case, Timothy, I can confirm that this is NOT the case.
Full credentialed scan. Our problem is that the scoring is "highest common denominator". The 10.10 issue (Tenable plugin #78550) checks for OS version of 10.10 or greater. If it sees an OS less than that, it gets flagged.
The issue is that since 10.10 includes the shellshock "fix", which is rated "critical", it is being flagged by many agencies as "lacking the shellshock fix" despite having been previously patched, and despite Security Update 2014-005 including the patch, and thus it is getting a significant amount of negative publicity at the moment.