The Bash vulnerability is not limited to OS X. Almost all Linux servers have Bash installed.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services
- Thread starter MacRumors
- Start date
- Sort by reaction score
The Bash vulnerability is not limited to OS X. Almost all Linux servers have Bash installed.
However there are good number of UNIX and Linux Servers. Something like 60% according to w3techs.
thatsthejoke.png
Bash is Open Source as well.
Just a snide remark to the "open source is more secure because people can see the source code" crowd. 😉
Lol both are open source, and the majority of code has security flaws that are just waiting to be exploited. People are so worried and fearful, these are just the ones that are exposed.
You did not read the memo: http://www.openwall.com/lists/oss-security/2014/09/24/11: "public disclosure is scheduled for Wednesday, 2014-09-24 14:00 UTC."
That means the bug was found and reported to several companies (RedHat, SuSE, Ubuntu, ... (1)) before that date! And those companies have been working on a patch since then.
(1) Apparently Apple did not care so far. Probably because they're busy with their #bendgate and #iOS8Cluster**** - all other affected (Linux) distros already HAVE released a patch, or the patch is coming today or by end of the week (the above memo was leaked a bit too early)
----------
Yep. Difference is: for most (probably all by now) Linux distros the patch is already available. Apple WTF?
gnasher729
Suspended
After reading a proper description of the problem: It is no problem for you unless you are using your Mac as a server that accepts commands from untrusted sources (and then only if it sets environment variables based on commands from untrusted sources). If you haven't set up your Mac as a server, if you don't know what bash is and what environment variables are, then you don't have a problem. This isn't a problem for 99.99% of MacOS X users and 100% of iOS users. bash isn't even installed on iOS.
Apple's own servers may be using bash in a way that is unsafe and they would have to fix that. We don't know that. You wouldn't be told about that. 't the case of the "Heartbleed" OpenSSL bug, Apple didn't use OpenSSL in its servers and therefore was safe. Some people may be using their Macs as servers, and they need to take care of this.
Bash being installed is not a problem. Only if it is used in a way that exposes it to attacks, and most people don't do that.
I haven't ever looked at the source code for bash.
I had to look at the documentation of OpenSSL which is a joke. I then had to look at the source code of OpenSSL because the documentation was so bad, and I can tell you, it's not funny.
Last edited:
However you can blame Apple very well for not delivering a patch until now - unlike most other Linux distros (RedHat, Ubuntu, SuSE, ...).
This vulnerability has been found and reported some time ago - only the public release was meant to be this week, and the idea is that every involved company has a patch ready by then!
(Apparently infos about this security issue leaked too early, that's why several Linux distros are still working on a patch - Apple?).
----------
Are you now talking about Apple and their iOS 8.0.1 disaster?
No, as far as I have seen so far the first initial patch didn't actually fix the problem. The fact is that the bug was publicly disclosed yesterday, and you are ranting because there is no patch today, as of yet.
gnasher729
Suspended
MentalFloss
macrumors 65816
A bit sick of that kind of snide remarks. They always come from people who confuse "more secure" with "completely flawlessly secure". I really want to see where anyone has ever made the statement that open source code is absolutely flawless and unaffected by any security problems.
Which "initial patch"? What the heck are you talking about? There are dozens of Linux distros (which yes, probably use the same patch to fix the problem).
And until you tell us otherwise (preferably: URL!) we have to assume that the following distros already have a (working!) patch:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian
[http://arstechnica.com/security/201...ig-security-hole-on-anything-with-nix-in-it/]
Apple? Want to bet whether we'll receive a security fix by end of this week?
The bug is fixed. The patch is available. Apple could have rolled it out by now.
The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.
http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052
Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.
Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Yep... Makes all those users feel pretty good... Ican see Microsoft with an ad and all of us will be a netted.
Watabou
macrumors 68040
We are finally (most likely) going to get an update to the system bash in over 7 years! 😀
Seriously how has apple not updated bash in such a long time?
Also currently bash has received an incomplete patch so the the patched bash is still vulnerable until the complete fix is pushed out.
In the meantime, I unset bash to be executable after backing it up. I always have zsh to run my shell scripts.
Seriously how has apple not updated bash in such a long time?
Also currently bash has received an incomplete patch so the the patched bash is still vulnerable until the complete fix is pushed out.
In the meantime, I unset bash to be executable after backing it up. I always have zsh to run my shell scripts.
Indeed.
There are plenty of well documented vulnerabilities in Open Source code all the time, including massive kernel vulnerabilities that remain unpatched for months, security flaws that would shame any company actually running an industry standard OS and a laundry list of known bugs that are known but never fixed because Freeness. And when they're fixed, the community's definition of "fixed" may mean "crappy plugin which masks the issue by extending functionality to include new implementation of broken feature" vs "actually fixing said broken feature".
When something does actually work well creators tend jump and run because they have what the community considers the audacity to actually want to get paid for their hard work, and implement it either on other platforms or get on the open core bandwagon, hoping that at least some of the user base are willing to pay for additional functionality. Of course, that makes them heretics because it's not true FLOSS and hence evil.
On a related note, I wonder how Canonical are doing with Ubuntu Touch. I trust it won't end like the Dellbuntu fiasco at all (if it makes it past the vapourware stage, that is), and will be the real innovation the sheeple have been waiting for! /s
I for one am not sold until it can has compiz. 😎
Why? Software exploits can be targeted by malicious software that just scans internet connected machines for vulnerabilities - you don't have to be special to be a target, you just have to exist.
The NSA (and any other organisation like it) on the other hand might target a wide range of people, but your life is almost certainly so boring that they aren't ever going to look into it in any detail.
It's a lot younger. The last bugfix came on 17-Mar-2010 😉
More seriously, the problem is GPL v3. With the release of Bash Version 4 GNU changed the license to GPL v3.
Apple does not want to (or can't? I'm no GPL expert) use GPL v3, so they are stuck with old versions. That was the case with gcc, and it's the case with bash and many other shell tools.
Apple will not switch to Bash 4.0. So you are still stuck with the 7 year old shell with bugfixes. Thankfully homebrew comes to the rescue.
EDIT: I take back what I said earlier, apparently the vulnerability s not completely fixed.
https://access.redhat.com/security/cve/CVE-2014-7169
Last edited:
Watabou
macrumors 68040
'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Serv...
Ah I see. Thanks for the info. Well at least gnu back ported the patch. That also explains why Apple has kept zsh fairly up to date and bash lagged behind. I thought apple actually being reasonable with this, and preferred zsh 🙂
Personally, I use zsh so I haven't needed to install homebrew's bash until today.
Bash still hasn't been fixed though, the fix is incomplete: https://news.ycombinator.com/item?id=8365158
Ah I see. Thanks for the info. Well at least gnu back ported the patch. That also explains why Apple has kept zsh fairly up to date and bash lagged behind. I thought apple actually being reasonable with this, and preferred zsh 🙂
Personally, I use zsh so I haven't needed to install homebrew's bash until today.
Bash still hasn't been fixed though, the fix is incomplete: https://news.ycombinator.com/item?id=8365158
This arstechnica article provides a Terminal command test. According to that test, Mountain Lion is also vulnerable.
http://arstechnica.com/security/201...big-security-hole-on-anything-with-nix-in-it/
Ok, now what? What do we do, short of waiting for Apple to fix it?
http://arstechnica.com/security/201...big-security-hole-on-anything-with-nix-in-it/
Ok, now what? What do we do, short of waiting for Apple to fix it?
Sean4000
Suspended
To those wanting to shove "snide" comments back our way...
No one ever said that the open source community of programmers was perfect or that they'd catch every bug with their multitude of programmers. Guess what, they're human. Some are enthusiasts, some are paid by large companies but they're still human beings.
They got over confident, complacent, and maybe a bit lazy. And well....This happened.
I'm sure a patch is coming quickly.
No one ever said that the open source community of programmers was perfect or that they'd catch every bug with their multitude of programmers. Guess what, they're human. Some are enthusiasts, some are paid by large companies but they're still human beings.
They got over confident, complacent, and maybe a bit lazy. And well....This happened.
I'm sure a patch is coming quickly.
Watabou
macrumors 68040
There are a couple of temporary things you can do, the first of which is turn off remote logins (ssh)
This reddit thread has other solutions if you must have ssh on: http://www.reddit.com/r/netsec/comm...71_remote_code_execution_through_bash/ckrp8hl