'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

[steve-p]

it seems to me that if someone is in a position to run bash scripts, then they already have the access they need, unless I am missing something.

unless this is like an SQL injection exploit?

The most troubling attack vector for Shellshock is where websites or devices are using CGI via Apache, and a carefully crafted HTTP request could theoretically invoke bash to execute arbitrary code on the server. That's likely to be a non-issue for almost all desktop/laptop users though.

 

[ThemePro]

Sorry bud. You picked the wrong forum member to call an apple basher. Jsameds is a certified apple lover. Post history will verify.



There are some who think if you are a fan of apple you automatically give up the ability to criticize them when mistakes are made. You must praise, excuse, or cast a wide net snaring other companies with issues; but never criticize.

Thankfully the vast majority of this forum can rationally evaluate issues on their merits and render an opinion based on the actual issues.

Apply fan boys can become Apple bashers in a hurry and switch back and forth. When there's new releases (hardware and software), of course there's likely to be problems. In a month, all the frothing and angst will die down, esp. when issues are resolved and most will be. I'm very happy to bash Apple over really stupid stuff such as releasing a firmware update without properly testing it. But I'm not going to into bash mode and belch/recite out every Apple problem as though they're all critical doom and gloom issues. For example, the pushing of the free U2 album out sent the tech pundits and bashers in a frenzy, and of course it was cited here of course. Seriously, get a life and don't equate/bundle every problem as though the Apple sky is falling and Tim Cook needs to be fired. Even with this article, it's not just a Mac OS issue but no, it must be Tim Cooks fault.

 

[gnasher729]

it seems to me that if someone is in a position to run bash scripts, then they already have the access they need, unless I am missing something.

unless this is like an SQL injection exploit?

Not quite. It's possible to give you access to stuff on my computer, but in a way that is safe, so that you can't get at the things that I don't want you to touch. Obviously that's not easy, giving you _some_ access but not _complete_ access. Giving you no access at all is simple, giving you _some_ access is hard.

And somewhere someone found a bug that allows them to get more access than they should. 99.99% of all Mac users and all iPhone users are safe because iPhone doesn't have bash, and 99.99% of Mac users don't use it that way.

The problem is that there are servers out there, running Unix, Linux, or MacOS X, that are vulnerable, and if someone breaks into these servers, they might indirectly affect you. Let's say if someone hacked Amazon through this vulnerability, then your money might be at risk, whether you use a Mac, an iPhone, Windows or an Android device.

(SQL injection vulnerabilities are stupid. When they were first explained to me, I didn't get it for a while, because my brain said "surely nobody can be so stupid").

The /s is the clue to your answer; it means "sarcasm".

I just tried it. Here's what I got:

bash: /s: No such file or directory

 

[scottwaugh]

The smaller iPhone has a weak point there too; it's because of the buttons which of course require a hole in the case. That's a natural weak point.

As for why the plus bends more easily than the non-plus, I'm not sure. Of course it being smaller means it's harder to bend unintentionally (smaller size means less force) but it also seems to be harder to bend intentionally. Which, given that it's also slightly thinner than the 6 plus, I can't really explain.

There's that old saying "give me a lever big enough and I can move the world." or something to that effect.

Even though the 6+ is thicker than the 6 (which should give it some additional strength) its significantly longer and when force is applied across this additional length, the "lever" is longer and at the point of flexing it will be significantly more powerful because of that length.

I wouldn't avoid a 6+ if I wanted one, but I sure as heck would have it in a hard case and wouldn't be putting it in my pockets much (for sure never sitting on it).

Saying half seriously Apple needs the 6+ Titanium…for the extra $100 they charge (and since the component costs are almost the same as the regular 6) they could easily afford to use Ti for the case and still get as much profit as the regular 6.

 

[Iconoclysm]

If only Bash would have been open source so people could search bugs in the source code


/s

I spit out some coffee when I read that

 

[deputy_doofy]

strike three. you're out...
now what?
*still waiting for iPhone + Apple Watch*

So, you have comprehension problems? This affects multiple flavors of Unix and Linux, based on the article. Mac OS X is a flavor of Unix. End of story, except for people like you, waiting to jump on a non-Apple-specific story and make it into one for hits or lies or ego or whatever.

 

[Iconoclysm]

The typical slow response is specific to Apple.

You can get an update for just about every other reputable platform.

Those other "reputable platforms" are going to be server OS first and foremost. Of course they have to respond to this quickly, they're a much larger risk.

 

[69Mustang]

Apply fan boys can become Apple bashers in a hurry and switch back and forth. When there's new releases (hardware and software), of course there's likely to be problems. In a month, all the frothing and angst will die down, esp. when issues are resolved and most will be. I'm very happy to bash Apple over really stupid stuff such as releasing a firmware update without properly testing it. But I'm not going to into bash mode and belch/recite out every Apple problem as though they're all critical doom and gloom issues. For example, the pushing of the free U2 album out sent the tech pundits and bashers in a frenzy, and of course it was cited here of course. Seriously, get a life and don't equate/bundle every problem as though the Apple sky is falling and Tim Cook needs to be fired. Even with this article, it's not just a Mac OS issue but no, it must be Tim Cooks fault.

I think the issue that separates our opinions is your use of the word bash. People can be critical of Apple without bashing them. There is a difference. In the case of Jsameds comment, it wasn't a bash and barely qualifies as a criticism. It was just an observation of Apple issues that have occurred in an extraordinarily condensed time frame. To say they've experienced multiple problems recently is apt. Nowhere did that comment imply doom and gloom nor did it rank the issues regarding triviality or seriousness.

Regarding this article, blame should be put on MR for the headline and certain posters who only read the headline and immediately start posting without bothering to read the actual information. It's not just this article and MR though. It's an unfortunate byproduct of today's internet driven consumption. Click bait headlines are designed to do just that, get clicks.

Again, bashing and criticizing are not necessarily the same thing.

 

[lincolntran]

Windows does not need a terminal and it has a command line interface. Type "cmd.exe" and there is the Windows "Terminal".

The OS's have a very different architecture. I like both and use both.

That was what I meant. Windows terminal is a joke. It only works with windows and nobody else. I can happily doing so many across all the *nix OS's. I can just open any *nix terminal and type away, but when I need to accomplish the same thing on windows, it's a headache.

 

[Iconoclysm]

Nope. The fact that windows doesn't even have a terminal is a flaw in itself. And nope, windows power shell is a joke.

Powershell is certainly not a joke, a unified command language for all of the different products that company makes is incredibly useful. The fact that it includes typical csh/bash commands for people like you who hate it is quite nice.

 

[Skoal]

You did not read the memo: http://www.openwall.com/lists/oss-security/2014/09/24/11: "public disclosure is scheduled for Wednesday, 2014-09-24 14:00 UTC."

That means the bug was found and reported to several companies (RedHat, SuSE, Ubuntu, ... (1)) before that date! And those companies have been working on a patch since then.

(1) Apparently Apple did not care so far. Probably because they're busy with their #bendgate and #iOS8Cluster**** - all other affected (Linux) distros already HAVE released a patch, or the patch is coming today or by end of the week (the above memo was leaked a bit too early)

----------





Yep. Difference is: for most (probably all by now) Linux distros the patch is already available. Apple WTF?

Apple tends to not announce patches until they are available. You know this I'm sure and no not all Unix/Linux systems are patched yet.

 

[TsunamiTheClown]

Just found a nice script that will detect both related vulnerabilities here:

https://gist.github.com/KalenAnson/231db4b468fc53a5ae7d

 

[Doctor Q]

If Apple issued an OS X patch for vulnerability CVE-2014-6271 then they'd have to issue another update when a patch becomes available for followup vulnerability CVE-2014-7169. I'll wait to get both at once.

 

[Moto G]

Many noobs here attempting to understand what "BASH" is, so let me explain:

"BASH" = Bourne Again SHell

"BASH", in this context, is NOTHING to do with "bashing", as-in bashing a product for X,Y or Z reasons.

Maybe you would be prudent to read up a little, before commenting on a subject you know little to nothing about:

http://en.wikipedia.org/wiki/Bash_(Unix_shell)

I'll call Richard Stallman and ask him to explain, if you like? BASH shell is part of the GNU project, thus the source code HAS ALWAYS, ALWAYS been available as free software (free as in free speech), under the GNU GPL (General Public Licence). If you understand how free software/open-source software works, you'll know more than enough to know that you cannot attack/blame Apple for this, just because it happens to be posted on an Apple-centric forum.

Don't waltz into a topic, assuming instant knowledge of every subject you comment on; you'll end up being handed a flannel to wipe the egg from your faces.

 

[kerrikins]

That article doesn't actually contain _any_ useful information.

“Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera,” Beardsley said. “Anybody with systems using Bash needs to deploy the patch immediately.”

This told me more about what I needed to be worried about than anything in the article on here did.

 

[Sciuriware]

It strikes me that whenever there is something thrilling in the air,
everybody panics and everybody starts to spread confusing non-facts.
At least someone like Moto G explains what is going on. (thanks).

So, concluding: APPLE is obviously waiting for a new bash, but from whom?
I will not lay awake tonight. (and I don't have a server).
;JOOP!

 

[Westside guy]

The bug is fixed. The patch is available. Apple could have rolled it out by now.

Actually, no.

You should take a gander at Red Hat's Bugzilla ticket for the bug. The current patch is incomplete. Some guy already posted an exploit (with a demo) that works quite well against the patched version of bash.

BTW I don't actually disagree with your general point.

 

[macenied]

That was what I meant. Windows terminal is a joke. It only works with windows and nobody else. I can happily doing so many across all the *nix OS's. I can just open any *nix terminal and type away, but when I need to accomplish the same thing on windows, it's a headache.

Agree. The shell within the Terminal ( ksh / bash / c-shell ) is very powerful. Using input & output redirection and Unix commands you can do alot. However, execution is relatively slow.

Windows is limited in direct comparison ( no grep, cut, awk, sed, tr, bc, etc... ) but developers and engineers tend to write small programs to achieve the same functionality with faster execution time.

So it's not directly comparable. I think the Unix way is more flexible, which is a good thing.

 

[steve-p]

Windows is limited in direct comparison ( no grep, cut, awk, sed, tr, bc, etc... ) but developers and engineers tend to write small programs to achieve the same functionality with faster execution time.

They do? I just install Cygwin personally, then you can write cross-platform scripts. Cygwin has already been patched.

 

[macenied]

They do? I just install Cygwin personally, then you can write cross-platform scripts. Cygwin has already been patched.

In business environments you cannot install what you want. You need to use what they have. Often they only have OS's and compilers according to IT Strategy and Product Management.

 

[poi ran]

As far as Apple is concerned. It is a shame Apple hasn't responded yet. But I am sure they will and until then, I don't see to many people (especially with their private machines) being affected of this.

T.

I agree, Apple will surely soon patch this. Question is, for Mavericks and Yosemite only? Likely Mountain Lion too? Lion? Snow Leopard? Leopard? Not saying that many still use Snow Leopard, Leopard, or Tiger but some might do as servers for legacy reasons or whatever.

I often use terminal on my desktop and can't say I'm too worried personally but I don't like Apples policy not to state when support for an OS ends.

 

[icannotaim]

Bug fix IS available

http://apple.stackexchange.com/ques...e-remote-exploit-cve-2014-6271-and-cve-2014-7

worked fine for me using Xcode ... took 2 minutes.

System Binaries

OS X 10.9.5 (the latest stable release at the moment) ships with Bash v3.2.51:

$ bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
You can obtain and recompile Bash as follows, providing that you have Xcode installed:

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ cd ..
$ xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.52(1)-release
$ build/Release/sh --version # GNU bash, version 3.2.52(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin
After this, the Bash version should be v3.2.52:

$ bash --version
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
For security, and after testing, I recommend that you chmod -x the old versions to ensure they aren't re-used, or move them to a backup site.

$ sudo chmod a-x /bin/bash.old /bin/sh.old

 

[Swytch]

this whole thing is blown WAY out of proportion...

Yes, every single *nix based device with a bash shell is technically vulnerable. But in order to exploit this vulnerability a hacker has to already have remote bash access to your device (which usually has to be turned on and then the hacker would need a login or use the guest login [which should never be allowed for remote bash]) and they would be limited to the permissions of their login even when running this malicious code.

Only web servers running CGI scripts (Or PHP Scripts run in CGI mode) are truly vulnerable to an attack by a hacker.

And the articles claiming your smart light bulbs are vulnerable and this can give the hacker access to all computers on your network are just fear-mongering. Do you allow remote login to your router? do you have guest access to your wifi network that allows guest connection to devices on your lan? does the smarlightbulb have SSH enabled for guest access? the hacker would have to be able to connect to the light bulb past your router BEFORE attempting to SSH to the lightbulb for bash access. and then what are they going to do? control your lights? download history of when lights are turned on and off?

yes this needs to be patched and fixed on all devices ASAP, but there is no need for the average user to panic.

and NO this is not an error by apple - they did not write bash, and no other operating system using bash discovered it in the past 20 years either, so apple is not at fault here. Yes apple will need to release an update to patch bash, but there isnt even a completely working patch for bash to fix this yet. Once one is available and tested i am sure apple will push out the fix.

 

[cjackson]

The big difference is that heartbleed affected web servers, so computers that are facing attacks on a daily basis and where a single attack can compromise thousands of users. There are very few OSX servers on the Internet, most of the OS computers on the Internet are PC. So, I fail to see how this could be as big as Heartbleed.

Graham's claim is correct. This bug affects all *nix systems (ie. unix, linux...). Since more then 50% of web servers use apache (which runs on *nix), and about 14% use nginx (which runs on *nix). It's very easy to see how this is as big as Heartbleed...

 

[macenied]

http://apple.stackexchange.com/ques...e-remote-exploit-cve-2014-6271-and-cve-2014-7

worked fine for me using Xcode ... took 2 minutes.

System Binaries

OS X 10.9.5 (the latest stable release at the moment) ships with Bash v3.2.51:

$ bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
You can obtain and recompile Bash as follows, providing that you have Xcode installed:

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ cd ..
$ xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.52(1)-release
$ build/Release/sh --version # GNU bash, version 3.2.52(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin
After this, the Bash version should be v3.2.52:

$ bash --version
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
For security, and after testing, I recommend that you chmod -x the old versions to ensure they aren't re-used, or move them to a backup site.

$ sudo chmod a-x /bin/bash.old /bin/sh.old

I will not do ( I dont feel the need ) but I like your attitude ! Top