|
|
Follow-up: most Mac users 'not at risk' from Bash vulnerability
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
An Apple spokesperson has reassured Mac users that the "vast majority" of users are not at risk from a serious bug discovered in the UNIX shell Bash that some researchers have called "potentially bigger than the Heartbleed vulnerability." Apple says that only those who have configured "advanced UNIX services" using the Terminal in OS X could be a risk of the flaw -- which would mean that nearly all OS X users would be unaffected. Nevertheless, the company is said to be working on a fix.
The "Shell Shock" flaw allows for code held in environment variables to be executed within the shell as soon as it is invoked, potentially allowing for the control of affected systems to be taken over by another user. The Red Hat team which discovered the bug has already come up with a a patch, with the United States Computer Emergency Readiness Team ( US-CERT) reporting that various Linux distributions have also been updated to fight the vulnerability, though this may not be enough. An Apple spokesperson told iMore that the company was "working to quickly provide a software update for our advanced UNIX users."
"With OS X, systems are safe by default and not exposed to remote exploits of Bash," the spokesperson said. Users on Stack Exchange have noted ways to test a Bash shell for the vulnerability and the method for installing a patch, though as the Apple spokesperson said only those running a UNIX package that opens ports to the public Internet would be at any risk. An official fix to the flaw is likely to come quickly. Once patched, some scripts that relied on the Bash shell may break and need to be updated themselves.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status:
Offline
|
|
I've also read applications that use bash behind the scenes to create and manage log files could be susceptible. There are many applications that create log files, including OSX's crash reporter. I would like to know who the Apple spokesperson is but of course nobody ever releases names so we have some idea whether they have the technical expertise to make that statement.
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Jun 2008
Status:
Offline
|
|
If the application is already running on the system, then it's already got access and can run whatever code it likes -- there would be no need to exploit this bash bug.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Jun 2004
Status:
Offline
|
|
Apple is being misleading by essentially claiming that the vulnerability does not exist because there is a low chance of it being exploited on a default configured, non-server OS remotely. Very disappointing, but let's just chalk it up to Baghdad Bob-speak.
Addressing this vulnerability quickly is a sign of professionalism. Ignoring it, a deep symptom of corporate management problems.
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Apr 2007
Status:
Offline
|
|
I'd like to see how far back they'll patch OS X. The latest two versions are not enough in my opinion. Especially since the less tech savvy people are, the more likely they'll keep using their original OS.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status:
Offline
|
|
Let's remember for a moment that Apple doesn't own or run UNIX, and that bash is part of UNIX; Apple isn't responsible for the fix, just for implementing the fix into its own system. As for how far back, in the case of security Apple tends to go back to the reference point, which currently is the four-year-old Lion.
I don't feel that Apple was being *at all* misleading or dismissive of the problem. The fact of the matter is that something like 0.2 percent of Mac owners are running the kind of Internet-facing Unix-based web services that would be vulnerable; prl99's claim based on something read somewhere about log files is utter nonsense. As the article states, the "vast majority" of Mac owners are, in fact, unaffected. And, again as the article says, Apple is working with the community on a fix.
|
Charles Martin
MacNN Editor
|
|
|
|
|
|
|
|
Managing Editor
Join Date: Jul 2012
Status:
Offline
|
|
The vast majority of Mac owners are not DIRECTLY affected, Apple should have said. Exploits generated by the flaw on routers and any of a thousand other finicky little things are going to cause problems.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status:
Offline
|
|
I would disable all SSH and Apache servers on your system (if you are running them) until Apple releases a fix.
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2012
Status:
Offline
|
|
I think the Apple spokesperson is oversimplifying things quite a bit. This is a serious vulnerability, and there may be subtle ways of exploiting it that have not been widely publicized. I expect Apple will issue patches very quickly -- if they do so, you can be sure that Apple's engineers thought it was a serious vulnerability, even if their PR people didn't.
By the way, for users of older versions of MacOS X (versions that Apple might not patch, like Snow Leopard and earlier), you might want to take a look at the patch that the developers of TenFourFox have compiled for Intel and PowerPC Macs running 10.4-10.9. http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|