Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Follow-up: most Mac users 'not at risk' from Bash vulnerability

Follow-up: most Mac users 'not at risk' from Bash vulnerability
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 26, 2014, 03:18 AM
 
An Apple spokesperson has reassured Mac users that the "vast majority" of users are not at risk from a serious bug discovered in the UNIX shell Bash that some researchers have called "potentially bigger than the Heartbleed vulnerability." Apple says that only those who have configured "advanced UNIX services" using the Terminal in OS X could be a risk of the flaw -- which would mean that nearly all OS X users would be unaffected. Nevertheless, the company is said to be working on a fix.



The "Shell Shock" flaw allows for code held in environment variables to be executed within the shell as soon as it is invoked, potentially allowing for the control of affected systems to be taken over by another user. The Red Hat team which discovered the bug has already come up with a a patch, with the United States Computer Emergency Readiness Team (US-CERT) reporting that various Linux distributions have also been updated to fight the vulnerability, though this may not be enough. An Apple spokesperson told iMore that the company was "working to quickly provide a software update for our advanced UNIX users."

"With OS X, systems are safe by default and not exposed to remote exploits of Bash," the spokesperson said. Users on Stack Exchange have noted ways to test a Bash shell for the vulnerability and the method for installing a patch, though as the Apple spokesperson said only those running a UNIX package that opens ports to the public Internet would be at any risk. An official fix to the flaw is likely to come quickly. Once patched, some scripts that relied on the Bash shell may break and need to be updated themselves.
     
prl99
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status: Offline
Reply With Quote
Sep 26, 2014, 09:33 AM
 
I've also read applications that use bash behind the scenes to create and manage log files could be susceptible. There are many applications that create log files, including OSX's crash reporter. I would like to know who the Apple spokesperson is but of course nobody ever releases names so we have some idea whether they have the technical expertise to make that statement.
     
DiabloConQueso
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Sep 26, 2014, 09:49 AM
 
If the application is already running on the system, then it's already got access and can run whatever code it likes -- there would be no need to exploit this bash bug.
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Sep 26, 2014, 10:12 AM
 
Apple is being misleading by essentially claiming that the vulnerability does not exist because there is a low chance of it being exploited on a default configured, non-server OS remotely. Very disappointing, but let's just chalk it up to Baghdad Bob-speak.

Addressing this vulnerability quickly is a sign of professionalism. Ignoring it, a deep symptom of corporate management problems.
     
chimaera
Dedicated MacNNer
Join Date: Apr 2007
Status: Offline
Reply With Quote
Sep 26, 2014, 02:21 PM
 
I'd like to see how far back they'll patch OS X. The latest two versions are not enough in my opinion. Especially since the less tech savvy people are, the more likely they'll keep using their original OS.
     
Charles Martin
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Sep 26, 2014, 03:04 PM
 
Let's remember for a moment that Apple doesn't own or run UNIX, and that bash is part of UNIX; Apple isn't responsible for the fix, just for implementing the fix into its own system. As for how far back, in the case of security Apple tends to go back to the reference point, which currently is the four-year-old Lion.

I don't feel that Apple was being *at all* misleading or dismissive of the problem. The fact of the matter is that something like 0.2 percent of Mac owners are running the kind of Internet-facing Unix-based web services that would be vulnerable; prl99's claim based on something read somewhere about log files is utter nonsense. As the article states, the "vast majority" of Mac owners are, in fact, unaffected. And, again as the article says, Apple is working with the community on a fix.
Charles Martin
MacNN Editor
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 26, 2014, 04:36 PM
 
The vast majority of Mac owners are not DIRECTLY affected, Apple should have said. Exploits generated by the flaw on routers and any of a thousand other finicky little things are going to cause problems.
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Sep 27, 2014, 11:25 AM
 
I would disable all SSH and Apache servers on your system (if you are running them) until Apple releases a fix.
     
josehill
Fresh-Faced Recruit
Join Date: May 2012
Status: Offline
Reply With Quote
Sep 28, 2014, 01:27 PM
 
I think the Apple spokesperson is oversimplifying things quite a bit. This is a serious vulnerability, and there may be subtle ways of exploiting it that have not been widely publicized. I expect Apple will issue patches very quickly -- if they do so, you can be sure that Apple's engineers thought it was a serious vulnerability, even if their PR people didn't.

By the way, for users of older versions of MacOS X (versions that Apple might not patch, like Snow Leopard and earlier), you might want to take a look at the patch that the developers of TenFourFox have compiled for Intel and PowerPC Macs running 10.4-10.9. http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 11:57 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,