Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,795
31,270



terminalicon2.png
Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.
Click to expand...
Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Article Link: 'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services
 
Article Link
https://www.macrumors.com/2014/09/25/bash-flaw-os-x/
Yebubbleman

Yebubbleman

macrumors 603
May 20, 2010
5,832
2,421
Los Angeles, CA
I guess this could be the one time that Microsoft fans can say to OS X and Linux (really any 'NIX) fans that Windows DOESN'T have a flaw that IS present on OS X, Linux and any other Unix-based OS.
 
Avenged110

Avenged110

macrumors 6502a
Aug 2, 2010
610
699
Greatest Country on Earth (RIP 1776-2021)
Why would Apple have included a fix in previous updates for a bug that was reported on today?(Unless it was reported to them before being published, but that doesn't sound like the case.) Of course a fix wasn't included and will have to ship with a new security update...
 
Slix

Slix

macrumors 65816
Mar 24, 2010
1,453
2,019
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
 
H

H2SO4

macrumors 603
Nov 4, 2008
5,674
6,954
Eweie said:
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Click to expand...

Of course it bloody is. If it’s something they can fix they should regardless of who designed the core of the OS.

If you bought a brand new car that had a faulty battery and the car dealer said he could temporarily fix it rather than have you wait for an item from Varta you’d take it right?
 
F

fluchtpunkt

macrumors member
Aug 16, 2013
92
45
Slix said:
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
Click to expand...

If only Bash would have been open source so people could search bugs in the source code


/s
 
F

foobarbaz

macrumors 6502a
Nov 29, 2007
886
2,048
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
 
MentalFloss

MentalFloss

macrumors 65816
Mar 14, 2012
1,020
841
Managed to find some detailed information this. Redhat security blog appears to be down (possibly due to an overload of requests).

"So far, HTTP requests to CGI scripts have been identified as the major attack vector."
"The other vector is OpenSSH"
http://seclists.org/oss-sec/2014/q3/650

Not a reason for panic for the vast majority of users, but obviously not something that should remain unpatched for long.
 
F

fluchtpunkt

macrumors member
Aug 16, 2013
92
45
djtech42 said:
So is this only a problem if SSH sharing is enabled?
Click to expand...

This is only a problem if you have something like a server that runs bash scripts that set environment variables to values that come from untrusted sources (e.g. html forms, API calls).

If you are not sure if you are running such a thing you are most likely not directly affected by this.
 
R

recoil80

macrumors 68040
Jul 16, 2014
3,117
2,755
Avenged110 said:
Why would Apple have included a fix in previous updates for a bug that was reported on today?(Unless it was reported to them before being published, but that doesn't sound like the case.) Of course a fix wasn't included and will have to ship with a new security update...
Click to expand...

Where did you read that Apple included a fix in previous updates?
The article talks about heartbleed fixed, not this new bug and states that perhaps a fix will be included in future updates
 
B

batchtaster

macrumors 65816
Mar 3, 2008
1,031
217
djtech42 said:
So is this only a problem if SSH sharing is enabled?
Click to expand...

No. Many installers, for example, use scripts. e.g.: to remove an older version before installation, to perform some form of activation, create symbolic links, etc.

For example, scripts in the Microsoft Office 2011 updater specifically register updated components with LaunchServices (rather than letting LaunchServices just eventually figure it out), and scripts in Apple's own iTunes installer quit the iTunesHelper progress that looks for iPod/iPad/iPhone devices to be connected before the software is updated, and update the kext cache afterwards. Some of the "enhancement"/tweak tools (the TinkerTool-like apps) often perform their tweaks via a library of shell scripts that put a GUI on a command-line function.

These scripts may or may not run as bash scripts; they may also be perl, python, csh, sh, etc. bash is simply one (very popular) runtime environment; one that you can also interact with line-by-line via the Terminal.

As always, care should be taken with anything you download or use.

recoil80 said:
Where did you read that Apple included a fix in previous updates?
The article talks about heartbleed fixed, not this new bug and states that perhaps a fix will be included in future updates
Click to expand...

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week.
Click to expand...
 
K

kerrikins

macrumors 65816
Sep 22, 2012
1,242
530
This article seems to have more info:

http://www.theglobeandmail.com/technology/new-bash-software-bug-may-pose-bigger-threat-than-heartbleed/article20781350/
 
djtech42

djtech42

macrumors 65816
Jun 23, 2012
1,447
56
Mason, OH
batchtaster said:
No. Many installers, for example, use scripts. e.g.: to remove an older version before installation, to perform some form of activation, create symbolic links, etc.

For example, scripts in the Microsoft Office 2011 updater specifically register updated components with LaunchServices (rather than letting LaunchServices just eventually figure it out), and scripts in Apple's own iTunes installer quit the iTunesHelper progress that looks for iPod/iPad/iPhone devices to be connected before the software is updated, and update the kext cache afterwards. Some of the "enhancement"/tweak tools (the TinkerTool-like apps) often perform their tweaks via a library of shell scripts that put a GUI on a command-line function.

These scripts may or may not run as bash scripts; they may also be perl, python, csh, sh, etc. bash is simply one (very popular) runtime environment; one that you can also interact with line-by-line via the Terminal.

As always, care should be taken with anything you download or use.
Click to expand...

I do use bash in the terminal (basic commands, homebrew, cocoapods, etc.), so I would be affected then?
 
T

Tech198

Cancelled
Mar 21, 2011
15,915
2,151
Bash is UNIX/Linux yes ?

Which would mean it exited in the UNIX days to, not just Apple..

I don't use Terminal hardly ever.
 
D

Dorje Sylas

macrumors 6502a
Jun 8, 2011
524
370
What about routers with Web interfaces? Since networked webcams with HTML interfaces are noted I have to wonder about similar routers.

Not that I'd see WHY a router should be using a Bash shell to modify its settings from the web UI but....
 
Last edited:
L

Lictor

macrumors 6502
Sep 13, 2008
383
21
Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed"
Click to expand...

The big difference is that heartbleed affected web servers, so computers that are facing attacks on a daily basis and where a single attack can compromise thousands of users. There are very few OSX servers on the Internet, most of the OS computers on the Internet are PC. So, I fail to see how this could be as big as Heartbleed.
 
gnasher729

gnasher729

Suspended
Nov 25, 2005
17,980
5,565
fluchtpunkt said:
If only Bash would have been open source so people could search bugs in the source code


/s
Click to expand...

You mean like OpenSSL? Which is basically an unmaintainable and undocumented mess of code? Where you are free to search for bugs in the source code, but have no chance to find them, and even less of a chance to fix them?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom