And Tru64 Unix (a.k.a OSF/1) shipped V5.1B6 in 2010. Full support ended at the end of 2012, and it still has "mature product support" from HP.
The "haven't been current for about 20 years" was gross exaggeration.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple: Most OS X Users Safe from 'Bash' Security Flaw, Software Update Coming Soon
- Thread starter MacRumors
- Start date
- Sort by reaction score
And Tru64 Unix (a.k.a OSF/1) shipped V5.1B6 in 2010. Full support ended at the end of 2012, and it still has "mature product support" from HP.
The "haven't been current for about 20 years" was gross exaggeration.
The only people effected are advanced users capable of setting up a Mac as a server on the web. Those people can build their own BASH. If the can't then why are they Unix administrators.
As it is nothing patch wise has fully fixed the problem.
----------
Are you running SSH or a web site off that machine? If not then you are safe. Just because the installation of BASH is vulnerable doesn't imply your machine is.
I really hope they release an Update for Lion forwards. A lot of users on White MacBooks were prematurely left behind with Lion because Apple couldn't be bothered to rewrite the graphics driver.
Also there are a lot of people who won't want to update to Yosemite, so an update for 10.7,10.8,10.9 and 10.10 will hopefully ship
Are you using Unix advanced services? If not I wouldn't worry.
I remember applying the 6.5.30 update CDs to my last remaining Tezros christmas of 2006. SGI didn't ever release another update set again. We used IRIX as a mainstay for smoke until 2008.
You may have a vulnerable version of bash, but that doesn't necessarily mean you're unsafe. Two things have to happen in order for someone to be able to exploit this problem:
1) Someone has to be able to supply unsantized input to the bash shell
2) The bash shell has to contain the vulnerability.
By running the test from the Terminal you're verifying the second part is true. What Apple is saying (and they seem to be correct on this) is that the first part isn't true for the vast majority of their users, so it's not remotely exploitable. You can try it because you have physical terminal access, but without some form of access to your system in the first place isn't not going to help an unauthorized user.
If someone has set up a web server (or other remote service) and utilized CGIs or other script that end up invoking bash than they may have a problem, but a normal use who has no clue what the significance of "#!/bin/sh" is has nothing to worry about.
Just because your system contains a vulnerability doesn't immediately make you unsafe; that's the merit of defense-in-depth. Just because the lock my wife's jewelry box is crap doesn't mean anyone can just walk in and steal her stuff; I still have a lock on my front door that works fine.
For those calling for Apple to patch the problem immediately keep in mind that there isn't currently an upstream patch that completely addresses the issue. A patch was issued yesterday for the bash source code that was found to be incomplete. As of this morning an official complete fix still isn't available from the package maintainer. Apple (along with many other vendors) may be waiting for a complete fix now that they've verified that the likelihood of a remote exploit is very low for their user base.
Apple "Bashing"
This is just a media blitz against Apple.
I've used UNIX for over 30 years.
If you don't know what UNIX is, you're most likely not at risk at all.
If you like to tweak you OS with non-Apple configurations, you might be slightly at risk.
If you're a bonehead, you're at risk.
This is blown way out of proportion. Some poster say Apple needs to patch this immediately, B.S., 99.99999% of Apple users will never have an issue. However, if you are running Linux/Unix servers, you might want to watch this more closely.
This is just a media blitz against Apple.
I've used UNIX for over 30 years.
If you don't know what UNIX is, you're most likely not at risk at all.
If you like to tweak you OS with non-Apple configurations, you might be slightly at risk.
If you're a bonehead, you're at risk.
This is blown way out of proportion. Some poster say Apple needs to patch this immediately, B.S., 99.99999% of Apple users will never have an issue. However, if you are running Linux/Unix servers, you might want to watch this more closely.
I don't think I would be applying random patches just yet unless you're in a mission critical situation, and you really know what you're doing.
----------
For Linux servers it is serious. For osx users don't get excited. Apple will patch it soon enough.
Apple Unix minus Unix
I was disappointed years ago when I realized Apple had built their stack under Unix but Apple had rolled their own with regard to security, startup, shutdown, and many if not most unix administration processes I was familiar with.
I accepted that, and went on with my life realizing Apple doing things Apple's way was in its DNA.
Now, with the Bash shell problem, I much more appreciative of the Apple way. Unless you are a sophisticated Unix user using the advanced power of the standard Unix tools, which are incredibly powerful in the right hands, this Bash problem is nothing to worry about.
I was disappointed years ago when I realized Apple had built their stack under Unix but Apple had rolled their own with regard to security, startup, shutdown, and many if not most unix administration processes I was familiar with.
I accepted that, and went on with my life realizing Apple doing things Apple's way was in its DNA.
Now, with the Bash shell problem, I much more appreciative of the Apple way. Unless you are a sophisticated Unix user using the advanced power of the standard Unix tools, which are incredibly powerful in the right hands, this Bash problem is nothing to worry about.
You've been here a long time so I'm going to give you a lot of credit. However there are lots of reasons in addition to running a server on the web to have SSH open. For instance, recovering a corrupted router.
I think Apple misspoke when they stated only a few advanced unix users. It's just too easy these days to get advice on a forum to tell you, "turn on SSH", and someone forget to turn it off.
At a minimum, Apple should have listed steps to make your device secure until the release a patch.
This is what an earlier poster meant when they said this was overblown. The issue itself is huge. But it's not an Apple issue. It's an issue that affects Bash, and that runs on all 'nix derived OS's including Apple's.
Does Apple need to address it? Yes. But so does everyone else who distributes a variant. The difference here is that Apple will make it easy for millions of people to easily patch their systems, while millions more will be left to fend for themselves.
The thing that really bugs me about all of these sensational headlines is that media outlets are taking complex issues and winnowing them down to simplistic headlines that are either half-truths, or totally unsubstantiated, because they know that putting Apple in the headline will gain them clicks.
One irony of this is that I would be willing to bet that the vast, vast majority of Apple desktop and laptop users who are vulnerable to this are probably vulnerable on servers that run a non-Apple version of Linux or Unix.
Everything now a days gets blown out of proportion. I remember all the y2k crap and it came and nothing happened. Now we hear about bending iPhones and this and none of this stuff is affecting more than 1% of anyone out there. This is why i don't even read these stories on the news online or watch local news
For Linux users and MacOS X users it's no problem. For Linux servers and MacOS X servers it's a problem. However, the reporting makes it look as if all the MacOS X users (many of them inexperienced users who run MacOS X because their more experienced friends had enough of providing free Windows support) are in danger, and nobody else is, and that of course is nonsense.
And the real problem is not _your_ Mac which is most likely absolutely safe, but all these servers which might get hacked and then you run into trouble if you connect to a website with your computer, no matter what computer.
The reason "nothing happened" is in no small part due to all the work that was done to prepare.
Hopefully you didn't have it reachable by the internet for those two years it did not receive security updates. Doing so now, for a service with any significance, 8 years since its last update, would be especially foolish.
Media blitz against Apple? So far what I've read was mostly targeting bash and only bash, maybe mentioning which systems are affected in those articles and so far I've only seen the news roll on tech blogs.
Far from a blitz against Apple.
Also, as that some poster, let me say that Apple is still in the server business and as their servers as of Lion use the same base install the desktops do and then adding the server parts through an App Store purchase - an add-on to what we all are running basically, this indeed needs immediate patching.
Is OS X Server as widespread as FreeBSD or CentOS or most other UNIX-like/UNIX servers? No.
Is it still a problem? Yes.
No matter your market share, you patch security vulnerabilities as soon as you can, otherwise you might as well pull your product entirely.
Luckily Apple does ship the update soon as it seems.
True, hence me linking to that article in my prior post in which the urgency of the patch/non-urgency is explained.
That is indeed true.
I haven't patch my installation myself, as I only have local network servers configured.
Glassed Silver:mac
Last edited:
really, the number of people who "turn on ssh" on somebody's advice on a forum is miniscule even compared to the number of people who run servers. More to the point, even if you do turn on ssh for remote logins why would that make you vulnerable? I've got it enabled and I am not worried as i don't run any servers. an account and a password are still required for ssh connections. and if an attacker somehow has those then you've got bigger problems than this bash vulnerability.
The real problem here is that most of the Internet's online sales infrastructure is running a UNIX/Linux of some sort and opens those systems (that take and store our credit card information) to getting compromised...till they are patched.
Just FYI, this doesn't affect web servers only, you can also exploit it if you have "Remote Login" enabled in Sharing (tho it's much, much harder).
Many 3rd-party apps, like media hubs and some torrent clients, start local webservers that may be susceptible as well.
Let's hope that Apple has the patch out soon, and that they'll fix older OS versions as well.
Many 3rd-party apps, like media hubs and some torrent clients, start local webservers that may be susceptible as well.
Let's hope that Apple has the patch out soon, and that they'll fix older OS versions as well.
Sorry, but actually, I am correct and here's why:
1. bash isn't the only shell available to Mac OS X; csh, sh, and a few more are also available
2. SSH is only vulnerable in specific configurations, not the default! and no, other services and utils are NOT vulnerable because ssh
3. There are only certain, specific commands in Perl, PHP and Python that are vulnerable (e.g., https://securityblog.redhat.com/201...-environment-variables-code-injection-attack/)
Here's the specific info from that link:
The info in my earlier post is correct. This issue has been patched by most Unix/Linux orgs already, with Mac OS X still hanging in the wind because it's not that big a vulnerability for MOST Mac OS X users. Now, please don't tell me what I know when it is clear that you don't know what you're talking about.
P.S. I have been administering *nix machines for more than two decades
Last edited: