I'm sure someone will argue "you shouldn't be using bash for CGI anyway"; but one way or another most common web scripting languages (e.g. perl) do make use of system calls which then potentially touch bash.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services
- Thread starter MacRumors
- Start date
- Sort by reaction score
I'm sure someone will argue "you shouldn't be using bash for CGI anyway"; but one way or another most common web scripting languages (e.g. perl) do make use of system calls which then potentially touch bash.
Will Red Hat Enterprise Linux users have to buy a support contract just to get the bash patches, if they don't want to recompile code themselves? Oracle has mirrored past Red Hat kernel patches, but I don't know if this type of patch will be available for Red Hat Enterprise Linux outside of their customer portal. If not, that could hinder adoption of the fix.
But wait ... hold the presses ... just one minute ... every time I have visited an Apple store numerous Apple employees love to tell me that Windows totally sucks, it's a horrible operating system in every respect, it's vulnerable to every virus known to man, but they then add that Mac O/S is "perfect", they are not susceptible to viruses or other security risks.
Now I am a bit confused. Could these so-called genius, better informed, smart, hip, cool, Apple employees be wrong? Is it possible that maybe, just maybe, Mac O/S could be vulnerable to some security risks?
This really has my head spinning because I wonder if there is a chance that these Apple "genius" employees might be wrong. The bedrock of my faith in all things Apple is cracking. They told me they were geniuses, they told me to trust them, they told me they know better than we know ... oh the horror of it all.
Now I am a bit confused. Could these so-called genius, better informed, smart, hip, cool, Apple employees be wrong? Is it possible that maybe, just maybe, Mac O/S could be vulnerable to some security risks?
This really has my head spinning because I wonder if there is a chance that these Apple "genius" employees might be wrong. The bedrock of my faith in all things Apple is cracking. They told me they were geniuses, they told me to trust them, they told me they know better than we know ... oh the horror of it all.
Last edited:
Apple is at fault.
They used the freeware instead of designing their own, or better yet pay for a 3rd party to develop one.
Sheesh. Apple needs to stop being cheap thinking about the bottom line.
Apple screwed up & they are looking outside their bubble for someone to fix this issue.
How's free looking now Apple?
Until then, happy stomping!
The main reason these failures look so bad, is the way Apple portrays itself and the products. They've spent years elevating people's expectations so high they've reached convergence.
That's the point at which even Apple can't possibly live up to it's self generated hype. These failures are the downfall of many a company over the years. In this case they'll have a very minor short term effect.
With the legions of Apple advocates that'll ignore any self induced problems this creates, it'll only be a very short time before all is forgotten.
Apple is at fault.
They used the freeware instead of designing their own, or better yet pay for a 3rd party to develop one.
Sheesh. Apple needs to stop being cheap thinking about the bottom line.
Apple screwed up & they are looking outside their bubble for someone to fix this issue.
How's free looking now Apple?
Until then, happy stomping!
Developing their own replcement for Bash would make no sense. Bash is universally supported and very powerful. Tons of applications, programming languages, etc use it.
Not exactly BASH (Bourne Again Shell) is an application than implements a shell. That is the command line environment but can also interpret scripts.
You do realize that Mac OS/X is UNIX right? It blows me away that so many don't grasp this. More so iOS is derived from OS/X so is a derivative of UNIX that gives you some of the same capabilities as a UNIX box. IOS is more or less a UNIX box in your pocket.
That is obvious and frankly not required on Apples systems. However do realize one thing, the command line offers a lot of power that you may be able to use to advantage in business and educational settings. For scripting these days though I recommend that people learn Python.
Apple isn't anymore at fault than any other company running UNIX or UNIX like software. The fact that it took some 25 years for the big to be discovered should highlight just how secure BASH is.
Which has been demonstrated to not produce better software and in most cases dramatically worst software.
.??? That statement is just asinine.
How's free looking now Apple?
Until then, happy stomping!
Look at it this way, the bug was apparently discovered well before a public exploit came into being. Contrast this with MS that usually is fixing exploits after the fact.
----------
Nope it is still a huge positive. You need to realize that this was discovered by system developers as opposed to criminals intent on exploiting computers. The fixes are easy to implement and a rational look at the bug indicates that very few Mac users are impacted even if their systems are left unpatched.
----------
thatsthejoke.png
Bash is Open Source as well.
Just a snide remark to the "open source is more secure because people can see the source code" crowd.
You do realize how the bug was discovered.
Except the guy who found this.
It's amusing to see people bash (heh) open source software when vulnerabilities are found in it, and claim that the idea behind FOSS being more secure--the idea that people can find vulnerabilities--is somehow flawed because people actually found vulnerabilities. It's completely nonsensical.
Nobody is covering up anything, rather we are just trying to squash attempts to make mountains out of mole hills. What we have here is a lot of ignorant people flying off at the handle thinking their Macs have a problem. For the overwhelming number of Mac users out there this bug means nothing.
Beyond that all involved don't have a functional patch yet.
My point was that nobody found it for 20 years despite it being in plain text. So if some bad guy read the code and didn't say anything, he would have 20 years of exploitable time. Almost all open source software is done in people's free time, so who's going to sit up all day and all night making sure everything is buttoned up when no one's paying him? That's why SSL and bash basically were broke for years and no one noticed. Not saying open source software is "bad." I'm just saying the reality is that it's not much different than closed source.
In my experience, it depends completely on how the project is run. Each FOSS project has its own culture. The OpenBSD developers are absolutely anal about code quality and doing things correctly, and it shows in their system. The OpenSSL developers were sloppy, reckless, and eventually overwhelmed by the monstrosity they created--and it showed.
It probably affects more systems than Heartbleed did, but it still requires the victim to run a malicious bash script. I don't see how this can be an actual security problem in many cases.
----------
Yes, it's embarrassing. I'm sad on one hand that such a bad flaw was found, but I get to laugh a little at the "free as in FREEDOM that fights for your rights" maniacs. Don't get me wrong, I like open-source software, but people get overly emotional about it.
----------
Yes, it's embarrassing. I'm sad on one hand that such a bad flaw was found, but I get to laugh a little at the "free as in FREEDOM that fights for your rights" maniacs. Don't get me wrong, I like open-source software, but people get overly emotional about it.
Last edited:
I love these forums. The fountains of ignorance is entertaining. Open up that tunnel vision a little bit.
Nope. How was it discovered? By looking at code, or because Stephane Chazelas encountered unexpected behavior while he was using bash environment variables?
Seriously. I have honest interest in those things, but I don't read as much sec news as I used to. So if you can shed some light on the actual process that lead to the discovery please continue.
By the way, it should be noted that an updated Bash fix is already available for most commercial Linux distributions within hours of Red Hat releasing the information about this flaw. That's what you get with Open Source software engineers diligently getting a fix out the door.
No, that's incorrect.
A machine running a web server that has any sort of scripting enabled (bash, other standard CGI, PHP, etc.) is potentially vulnerable to an outside attack from a non-authenticated or authenticated user.
A machine with ssh enabled is vulnerable to an outside attack - but the attacker would have to have access to the login credentials (or, say, the private key of someone that uses key auth) belonging to a user on that system.
Related to the ssh issue would be other services that also use ssh - e.g. if you have allowed remote rsync access script access. This would, again, require the attacker have some way to successfully log into the machine.
----------
The patch was incomplete - bash is still vulnerable.
bending issue is also non-Apple specific, what's your point?
----------
same with bending issue. most phones bend...
----------
notice the third line? it's a joke.
----------
so you're implying bending is Apple's fault?
now see, I never said that.
Apple is at fault.
They used the freeware instead of designing their own, or better yet pay for a 3rd party to develop one.
Sheesh. Apple needs to stop being cheap thinking about the bottom line.
Apple screwed up & they are looking outside their bubble for someone to fix this issue.
How's free looking now Apple?
Until then, happy stomping!
The free option is looking good to me.
People with the most urgent need for patches - web server administrators and others - can update their bash using instructions found in this thread. Hopefully they already have.
If it was a closed source solution, the vendor would be either be saying nothing is wrong, it doesn't really matter and the user is holding it wrong.
Even worse, if the development was farmed out to a third party, then Apple might be arguing with the third party about who is going to pay for the fix, rather than getting on with the job of patching the bug. Most likely we'd only see a fix for 10.9 and 10.10.
I'm going to ask the obvious question. If this security flaw could have existed for 22+ years without being noticed, what else is still out there? Could Skynet planted some code that won't kick in for another 20 or 50 years?
It would be really cool if there were a single thread focused just on how to assess your level of vulnerability and how to mitigate it, so it wouldn't be necessary to read through umpteen pages of Apple-love vs Apple-hate (currently 6 pages, and growing) ...
----------
For those still running older OSX versions (as in Snow Leopard), will Apple be likely to provide a patch?
Or are we just SOL?
----------
For those still running older OSX versions (as in Snow Leopard), will Apple be likely to provide a patch?
Or are we just SOL?
A static page that said "Your vulnerability level is zero" would be correct for most typical OS X users in this case. It may well be an issue for some web servers and embedded systems, but the threat to OS X users in general has been blown way out of proportion.
Yes, i do realize that. like how MS Dos in underlying of Windows 95/98/3.1
YOu can do allot more from the command line, invoking switches than you could every do from the GUI. And other commands "sudo" only accessible from Terminal.