ShellShock bug in OSX and 'nix

[cptkrf]

A real bug was described today that will affect OSX and any 'nix's. There are no known exploits in the wild yet, but it is fairly serious. I can play with it on Debian and it is easy to use, although I don't really see a way for someone to trigger it over the net. However, my statement of "I don't see how..." puts no limits on a determined hacker.

OSX has it also, including 10.9.5 just installed today. I haven't played with it on my Mac because I don't want to possibly wreak my production machine. On Linux, you can disable Bash and replace it with the C shell for a temporary solution, but I have a feeling that OSX will croak if you try that.


To see if you have it (and you do, as of 9/24/14) run the following at the command line...

env x='() { :;}; echo I got it' bash -c "echo do I have the bug"

If you get back "I got it" then the answer is yes


A good return, when Apple patches it, should look like this...

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Bash is used by much stuff and Apple needs to put out a patch chop-chop.

 

[Bill Gates Jr.]

Sheldon,
What is Apple doing about this? 10.9.6?

 

[docx]

This is what the BBC has to say.
BBC News - Shellshock: 'Deadly serious' new vulnerability found

 

[vansmith]

Unix is an operating system on which many others are built, such as Linux and Mac OS.

As much as I like the BBC, they lost all credibility when they suggested that Linux was built on Unix.

Word on the street, and perhaps reasonably so, suggest that the major target and likely source of most trouble, will be web servers. Desktop users might be hit but it would appear that most issues will be attacks on servers which could very well affect you by trickling down.

 

[danno50]

cptkrf, I ran the command and got back the answer "do I have the bug". Does this mean I am OK, or did I do something wrong?
Dan

 

[vansmith]

If you're using OS X, you're susceptible to it now unless you've manually upgraded Bash (which, I'm guessing that you haven't).

 

[danno50]

I just checked my version of bash;

GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin11).

Should I update this?

Thanks
Dan

 

[McBie]

I am pretty sure that Apple will patch this as part of Yosemite !

Cheers ... McBie

 

[Nethfel]

I am pretty sure that Apple will patch this as part of Yosemite !

Cheers ... McBie

I hope they add it in as it's not patched in the latest DP.

 

[cptkrf]

cptkrf, I ran the command and got back the answer "do I have the bug". Does this mean I am OK, or did I do something wrong?
Dan

You got it. But that is a given as of today. This bug has been around unnoticed for a long time and was just found, so all versions of OSX, Unix and Linux will have it if they are using standard Bash.

You would get something like the following if you were immune or it was fixed.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

 

[danno50]

So what do I do?, just wait for Apple to put out an update that fixes this?
Thanks
Dan

 

[harryb2448]

Just calm down and ignore. The next update will take care of things.

 

[danno50]

Thanks Harry, I am calm, just don't know too much about the inside workings of computers, something anyone who has read any of my recent posts is already aware of.

 

[cradom]

I just updated bash with homebrew. It is GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.4.0)
If you don't have it, it should look like this:

 

[cptkrf]

As Vansmith has said, any problems will probably be at the server level. This is not a virus, nor is it malware - it is just some bad coding that hasn’t been noticed since it was written. Unfortunately the problem is in a fundamental part of the ‘Nix OS’s.

To hit the OSX community en masse would still require a drive-by virus to use the flaw (none known to exist) or convince a bunch of Mac users to enter their root password for this wonderful screensaver package with photos of the scantily clad starlets. i.e. It is a flaw that could be used by a virus or malware ONCE PLANTED ON YOUR SYSTEM, but it does not help in the problem of getting it inside your Mac to be executed.

Now, if a hacker picks a particular machine - no doubt a web or db server - and pounds on it to find some dumb password with authority, then that IT department has major problems. But for the rest of us, we just need to wait for Apple to fix the hole. I suspect that the pizza boxes are stacking up even as we speak outside the door of the Apple lab. (And a lot of other places - Debian, Redhat, BSD and so on.)

For now, remember the cover on the HHGTTG. "Don't Panic!"

 

[harryb2448]

From the Cert US Government site seems only Linux affected at this stage no mention of OS X in the list:-


https://www.us-cert.gov/ncas/curren...hell-Bash-Remote-Code-Execution-Vulnerability

 

[cptkrf]

I just updated bash with homebrew. It is GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.4.0)
If you don't have it, it should look like this:

Have you noticed any broken shell scripts? I ask because the OSX sh and Linux sh are slightly different.

 

[chas_m]

Answers are all here:

Follow-up: most Mac users 'not at risk' from Bash vulnerability | MacNN

 

[harryb2448]

chas m have you ever kept count of how many of these 'scares' have been about since the inception of OS X eleven or so years ago?

 

[vansmith]

chas m have you ever kept count of how many of these 'scares' have been about since the inception of OS X eleven or so years ago?

That may be so but the real issue is what I've been saying for years: Apple is oddly lethargic when it comes to security. As this Ars Technica article argues,

Chet Ramey, the maintainer of bash, said in a post to Twitter that he had notified Apple of the vulnerability several times before it was made public, "and sent a patch they can apply. Several messages."

Once again, Apple is approached by a researcher/developer highlighting an issue with software and they largely ignore it. Add that to the recent revelation that Apple was also told about a particular iCloud weakness months before it was exploited, only to ignore that as well, and we have another example of how something that may not be all the problematic ("shellshock") speaks to a much larger problem.

I'm starting to think that reporting security issues ends up in some weird black hole at Apple. I like the company and I like what they make but their willful ignorance sometimes baffles me.