'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,662
10,081



Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.
Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Article Link: 'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services
 

Yebubbleman

macrumors 68040
May 20, 2010
3,035
361
Los Angeles, CA
I guess this could be the one time that Microsoft fans can say to OS X and Linux (really any 'NIX) fans that Windows DOESN'T have a flaw that IS present on OS X, Linux and any other Unix-based OS.
 

Avenged110

macrumors 6502a
Aug 2, 2010
508
375
Greatest Country on Earth
Why would Apple have included a fix in previous updates for a bug that was reported on today?(Unless it was reported to them before being published, but that doesn't sound like the case.) Of course a fix wasn't included and will have to ship with a new security update...
 

Slix

macrumors 65816
Mar 24, 2010
1,156
1,363
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
 

H2SO4

macrumors 601
Nov 4, 2008
4,578
4,798
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Of course it bloody is. If it’s something they can fix they should regardless of who designed the core of the OS.

If you bought a brand new car that had a faulty battery and the car dealer said he could temporarily fix it rather than have you wait for an item from Varta you’d take it right?
 

fluchtpunkt

macrumors member
Aug 16, 2013
87
19
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
If only Bash would have been open source so people could search bugs in the source code


/s
 

foobarbaz

macrumors 6502a
Nov 29, 2007
539
561
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
 

MentalFloss

macrumors 65816
Mar 14, 2012
1,016
799
Managed to find some detailed information this. Redhat security blog appears to be down (possibly due to an overload of requests).

"So far, HTTP requests to CGI scripts have been identified as the major attack vector."
"The other vector is OpenSSH"
http://seclists.org/oss-sec/2014/q3/650

Not a reason for panic for the vast majority of users, but obviously not something that should remain unpatched for long.
 

fluchtpunkt

macrumors member
Aug 16, 2013
87
19
So is this only a problem if SSH sharing is enabled?
This is only a problem if you have something like a server that runs bash scripts that set environment variables to values that come from untrusted sources (e.g. html forms, API calls).

If you are not sure if you are running such a thing you are most likely not directly affected by this.
 

recoil80

macrumors 68030
Jul 16, 2014
2,939
2,546
Why would Apple have included a fix in previous updates for a bug that was reported on today?(Unless it was reported to them before being published, but that doesn't sound like the case.) Of course a fix wasn't included and will have to ship with a new security update...
Where did you read that Apple included a fix in previous updates?
The article talks about heartbleed fixed, not this new bug and states that perhaps a fix will be included in future updates
 

batchtaster

macrumors 65816
Mar 3, 2008
1,031
217
So is this only a problem if SSH sharing is enabled?
No. Many installers, for example, use scripts. e.g.: to remove an older version before installation, to perform some form of activation, create symbolic links, etc.

For example, scripts in the Microsoft Office 2011 updater specifically register updated components with LaunchServices (rather than letting LaunchServices just eventually figure it out), and scripts in Apple's own iTunes installer quit the iTunesHelper progress that looks for iPod/iPad/iPhone devices to be connected before the software is updated, and update the kext cache afterwards. Some of the "enhancement"/tweak tools (the TinkerTool-like apps) often perform their tweaks via a library of shell scripts that put a GUI on a command-line function.

These scripts may or may not run as bash scripts; they may also be perl, python, csh, sh, etc. bash is simply one (very popular) runtime environment; one that you can also interact with line-by-line via the Terminal.

As always, care should be taken with anything you download or use.

Where did you read that Apple included a fix in previous updates?
The article talks about heartbleed fixed, not this new bug and states that perhaps a fix will be included in future updates
A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week.
 

kerrikins

macrumors 65816
Sep 22, 2012
1,202
436
This article seems to have more info:

http://www.theglobeandmail.com/technology/new-bash-software-bug-may-pose-bigger-threat-than-heartbleed/article20781350/
 

djtech42

macrumors 65816
Jun 23, 2012
1,429
49
Mason, OH
No. Many installers, for example, use scripts. e.g.: to remove an older version before installation, to perform some form of activation, create symbolic links, etc.

For example, scripts in the Microsoft Office 2011 updater specifically register updated components with LaunchServices (rather than letting LaunchServices just eventually figure it out), and scripts in Apple's own iTunes installer quit the iTunesHelper progress that looks for iPod/iPad/iPhone devices to be connected before the software is updated, and update the kext cache afterwards. Some of the "enhancement"/tweak tools (the TinkerTool-like apps) often perform their tweaks via a library of shell scripts that put a GUI on a command-line function.

These scripts may or may not run as bash scripts; they may also be perl, python, csh, sh, etc. bash is simply one (very popular) runtime environment; one that you can also interact with line-by-line via the Terminal.

As always, care should be taken with anything you download or use.
I do use bash in the terminal (basic commands, homebrew, cocoapods, etc.), so I would be affected then?
 

Dorje Sylas

macrumors 6502
Jun 8, 2011
499
330
What about routers with Web interfaces? Since networked webcams with HTML interfaces are noted I have to wonder about similar routers.

Not that I'd see WHY a router should be using a Bash shell to modify its settings from the web UI but....
 
Last edited:

Lictor

macrumors 6502
Sep 13, 2008
383
21
Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed"
The big difference is that heartbleed affected web servers, so computers that are facing attacks on a daily basis and where a single attack can compromise thousands of users. There are very few OSX servers on the Internet, most of the OS computers on the Internet are PC. So, I fail to see how this could be as big as Heartbleed.
 

gnasher729

macrumors P6
Nov 25, 2005
16,948
3,830
If only Bash would have been open source so people could search bugs in the source code


/s
You mean like OpenSSL? Which is basically an unmaintainable and undocumented mess of code? Where you are free to search for bugs in the source code, but have no chance to find them, and even less of a chance to fix them?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.