Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

Hands up who has exposed their Bash to the internet?

What, you don't know what I'm talking about? Then you're not affected.

Sensationalist reporting on this all over the web. OS X is not affected unless you are running a web server with it.

In a related note, if Bash is exposed through the Apache web server, wouldn't that be a huge gaping hole in Apache? Bash is a shell but it's also basically a full blown programming environment; nothing coming in from the internet should have access to that. Except through SSH, where SSH takes over protective duties.
 
Ok.. first - let me admit: TL;DR (most of it)..

But - that being said.

I do install the Unix packages and run X-programs. I also use XDM to manage remote clients on my home network as well as ssh / telnet / ftp, etc..

But - I don't run apache or anything like that... I do plan on setting up a Sun / Solaris box as a fileserver in the near future and will be setting up ssh and a DMZ so I can get in remotely - but once again - no webserver.

So, this wont affect me, correct?
 
Yebubbleman said:
I guess this could be the one time that Microsoft fans can say to OS X and Linux (really any 'NIX) fans that Windows DOESN'T have a flaw that IS present on OS X, Linux and any other Unix-based OS.
Click to expand...

... and a stopped clock is right twice a day...
:)
 
wizard said:
Apple isn't anymore at fault than any other company running UNIX or UNIX like software. The fact that it took some 25 years for the big to be discovered should highlight just how secure BASH is.

Which has been demonstrated to not produce better software and in most cases dramatically worst software.

.??? That statement is just asinine.


Look at it this way, the bug was apparently discovered well before a public exploit came into being. Contrast this with MS that usually is fixing exploits after the fact.

----------


Nope it is still a huge positive. You need to realize that this was discovered by system developers as opposed to criminals intent on exploiting computers. The fixes are easy to implement and a rational look at the bug indicates that very few Mac users are impacted even if their systems are left unpatched.

----------



You do realize how the bug was discovered.
Click to expand...

Your replies are hollow and empty of substance.
Nothing you posted quantified an appropriate rebuttal.

I also like how now MS is part of the topic... or was that an attempt at a diversion to take the eyes off Apple... :eek:

----------
watermelonbook said:
I'm going to ask the obvious question. If this security flaw could have existed for 22+ years without being noticed, what else is still out there? Could Skynet planted some code that won't kick in for another 20 or 50 years?
Click to expand...
Correct.
More exploits are known and hackers are just cracking the egg.
This fall will be harder than last time...
 
gnasher729 said:
Not quite. It's possible to give you access to stuff on my computer, but in a way that is safe, so that you can't get at the things that I don't want you to touch. Obviously that's not easy, giving you _some_ access but not _complete_ access. Giving you no access at all is simple, giving you _some_ access is hard.

And somewhere someone found a bug that allows them to get more access than they should. 99.99% of all Mac users and all iPhone users are safe because iPhone doesn't have bash, and 99.99% of Mac users don't use it that way.

The problem is that there are servers out there, running Unix, Linux, or MacOS X, that are vulnerable, and if someone breaks into these servers, they might indirectly affect you. Let's say if someone hacked Amazon through this vulnerability, then your money might be at risk, whether you use a Mac, an iPhone, Windows or an Android device.

(SQL injection vulnerabilities are stupid. When they were first explained to me, I didn't get it for a while, because my brain said "surely nobody can be so stupid").
Click to expand...

Thanks for the breakdown, I wish other news sites would stop touting this like is a virus that users need to worry about.
 
bawbac said:
Apple is at fault.
They used the freeware instead of designing their own, or better yet pay for a 3rd party to develop one.
Sheesh. Apple needs to stop being cheap thinking about the bottom line.
Apple screwed up & they are looking outside their bubble for someone to fix this issue.

How's free looking now Apple?
Until then, happy stomping! :p
Click to expand...

so you would rather that no third party software is allowed to be run on a mac? and that apple writes all its own code... well then say good bye to a lot of cross platform features... SMB is owned by Microsoft and has to be licensed for use... so no more windows networking on mac...

and even if you want to continue with your narrow view, then ALL software and hardware manufacturers are at fault for this, since they all use it.

by your logic, you are at just as much fault for installing OSX and not replacing Bash with your own implementation (and really you would need to just write your whole own OS before using it or you are at fault for anything that goes wrong).

there is a difference between being responsible for issueing a fix (which again there is not one yet from anyone - so maybe apple is writing their own fix) and being at fault. deciding to use freeware does not make apple at fault, and has nothing to do with only caring about the bottom line... there is no need to reinvent the wheel (that no one new had a flaw for 20 years - the writers of bash should have discovered long ago).
 
Swytch said:
so you would rather that no third party software is allowed to be run on a mac? and that apple writes all its own code... well then say good bye to a lot of cross platform features... SMB is owned by Microsoft and has to be licensed for use... so no more windows networking on mac...

and even if you want to continue with your narrow view, then ALL software and hardware manufacturers are at fault for this, since they all use it.

by your logic, you are at just as much fault for installing OSX and not replacing Bash with your own implementation (and really you would need to just write your whole own OS before using it or you are at fault for anything that goes wrong).

there is a difference between being responsible for issueing a fix (which again there is not one yet from anyone - so maybe apple is writing their own fix) and being at fault. deciding to use freeware does not make apple at fault, and has nothing to do with only caring about the bottom line... there is no need to reinvent the wheel (that no one new had a flaw for 20 years - the writers of bash should have discovered long ago).
Click to expand...
People buy Apple because of expectations of high quality and resilience to issues.

As time marches on, those 2 items are becoming less of a part of Apple products.

It's odd that a company so controlling over every little detail would use free stuff that's available for anyone to look at the SOURCE!

What's next, RTEMS mac OS ???:p
 
orthorim said:
Hands up who has exposed their Bash to the internet?

What, you don't know what I'm talking about? Then you're not affected.

Sensationalist reporting on this all over the web. OS X is not affected unless you are running a web server with it.
Click to expand...

Wrong. See below for why.

In a related note, if Bash is exposed through the Apache web server, wouldn't that be a huge gaping hole in Apache? Bash is a shell but it's also basically a full blown programming environment; nothing coming in from the internet should have access to that. Except through SSH, where SSH takes over protective duties.
Click to expand...

Wrong. Apache wouldn't have the bug. Apache would be the attack vector, not the place that has the bug to begin with.

Escher2112 said:
Ok.. first - let me admit: TL;DR (most of it)..

But - that being said.

I do install the Unix packages and run X-programs. I also use XDM to manage remote clients on my home network as well as ssh / telnet / ftp, etc..

But - I don't run apache or anything like that... I do plan on setting up a Sun / Solaris box as a fileserver in the near future and will be setting up ssh and a DMZ so I can get in remotely - but once again - no webserver.

So, this wont affect me, correct?
Click to expand...

Your server in the DMZ that has SSH running would be affected, if you have bash as a usable shell on that server However, since it would be in a DMZ, that is only as far as the attack could go.

As far as webservers go, any webserver that has the ability to run CGI scripts or PHP would be affected. Apache, if running mod_cgi, would have the ability to run bash scripts as CGI So any attack would use Apache to get to the vulnerability in bash. So until your version of bash is patched, disable mod_cgi.

Because of that, PHP with apache would be affected. You can execute system() calls through PHP, and execute /path/to/bash from there, which gets you to the same problem. Apache and mod_php5 would be the attack vector, bash would be the vulnerability.

SSH has the ability to set up variables when invoking the user's session, so that is an inherent attack vector; DHCP is as well.

Bash doesn't have to be exposed to the internet for it to be vulnerable. Bash just has to be installed for it to be vulnerable, and for those who are claiming 'sensationalism' and 'blown out of proportion' really don't have a clue on what they are talking about.

Disclaimer: 21-year Linux Sysadmin here, still in the middle of patching ~200 servers at my job to fix this.

BL.
 
bradl said:
Bash just has to be installed for it to be vulnerable, and for those who are claiming 'sensationalism' and 'blown out of proportion' really don't have a clue on what they are talking about.
Click to expand...

How does that work, if you aren't running any services how can it be exploited? It obviously can if you are sitting in front of the machine with an open terminal, but then that's an issue with or without this bug.
 
subsonix said:
How does that work, if you aren't running any services how can it be exploited? It obviously can if you are sitting in front of the machine with an open terminal, but then that's an issue with or without this bug.
Click to expand...

You pretty much nailed it in bold. Yes, it would take physical access to your machine for it to occur, but that doesn't mean that the bug still isn't there

most normal users aren't going to be worried about this, no.. however, most users would also set themselves up as administrators to their own Mac. And how much would you guess the over/under for if they have not set a password to their account on their Mac?

If they hadn't, a person who knows what they are doing could not only create their own account on it, but enabled SSH at the least to get access to it remotely. From there, it's all downhill.

I'd wager on that being able to be done in less than 3 minutes.

BL.
 
bradl said:
You pretty much nailed it in bold. Yes, it would take physical access to your machine for it to occur, but that doesn't mean that the bug still isn't there
Click to expand...

Yes, but even if the bug is present, if you are sitting in front of the keyboard with a shell then you don't need to use this bug to run commands, because you can just run them directly. The question here really, imo, is if the bug is exposed externally to the internet.
 
subsonix said:
Yes, but even if the bug is present, if you are sitting in front of the keyboard with a shell then you don't need to use this bug to run commands, because you can just run them directly. The question here really, imo, is if the bug is exposed externally to the internet.
Click to expand...

Doesn't really have to be exposed to the Internet, though. Intranet would be included.

BL.
 
bradl said:
Doesn't really have to be exposed to the Internet, though. Intranet would be included.

BL.
Click to expand...

Yeah, but intranet is an internet, but the (capital I) Internet would more far reaching. I was thinking of internet in more general terms. ;)
 
You need to have enabled SSH access (remotely) and some kind of web server on your Mac to be affected. If you have neither of these active then you aren't vulnerable to the exploit. Even turning on the firewall would have stopped any possible exploit.

My Macs aren't open to the public but I recompiled bash from GNU sources anyways. The links are in this thread. I had a harder time fixing my Linux servers (12.04 LTS, no longer supported) which were open to the internet, took forever to fix broken dependencies and upgrade the distro. The Mac GNU recompile was much more simple in comparison.
 
superdx said:
You need to have enabled SSH access (remotely) and some kind of web server on your Mac to be affected. If you have neither of these active then you aren't vulnerable to the exploit. Even turning on the firewall would have stopped any possible exploit.
Click to expand...

DHCP.

My Macs aren't open to the public but I recompiled bash from GNU sources anyways. The links are in this thread. I had a harder time fixing my Linux servers (12.04 LTS, no longer supported) which were open to the internet, took forever to fix broken dependencies and upgrade the distro. The Mac GNU recompile was much more simple in comparison.
Click to expand...

Ubuntu. there's your problem right there. ;)

Sorry, I digressed.

BL.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back