OS X Yosemite (design promo, Finder icon 001)

A new exploit in the Bash command shell found in many versions of Unix, including Apple’s OS X desktop operating system, makes Mac computers vulnerable to so-called ‘Shell Shock’ attacks, security researchers at RedHat discovered Thursday.

Though the exploit lets attackers run malicious scripts remotely, most people are not at risk unless they’ve manually allowed SSH access from remote connections or a web server running server side scripting.

Here’s how you can check if you’re vulnerable and what you can do in order to avoid ‘Shell Shock’ attacks on your system.

“You are only truly vulnerable if someone you do not know can remotely access your machine and do so in a way where a Bash command can be executed,” researchers explained.

A thread on Stack Exchange explains that determining whether or not your Mac is prone to Shell Shock attacks involves running the following command in Terminal (found inside your Mac’s Applications folder):

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If the word ‘vulnerable’ gets printed in the Terminal window after running the above command, your system is exploitable.

If it says:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

then you are good.

The adventurous types who have Apple’s Xcode and the command-line compilers installed can fix the issue on their own by compiling a new, patched Bash version.

Be warned that the process is not for the faint-hearted. If you feel like giving it a shot, follow the full instructions in the linked Stack Exchange thread.

Security researcher Robert Graham wrote on his blog that the Bash exploit is “as big as the Heartbleed bug” which was discovered earlier this year in the commonly used OpenSSL software used by web servers.

Because the Bash vulnerability has been around for a long time, there are lots of old devices on the network vulnerable to this bug. “The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed,” Graham wrote.

Shell Shock (System Preferences 001)
Disable Remote Login in System Preferences, just in case.

Again, the vulnerability should mainly concern system administrators on Mac OS X, Unix and Linux servers exposed to the world rather than desktop users, the vast majority of whom never enable SSH sharing in System Preferences.

Apple’s latest OS X Mavericks 10.9.5, which was released last week, does not include a fix for the Bash vulnerability. As several variants of Linux already have patches available, chances are Apple is going to soon put out a fix for OS X to address the exploit.

At any rate, we’ll keep you posted.

[RedHat Blog]

  • Chetan

    My mac says vulnerable 🙁

    • rockdude094

      Hackers attack him !!!!

    • Kamal Ahmad

      hide yo mac hide yo wifi

  • Manor

    Probably the worst week apple had in a while

    • This exploit is nothing to do with Apple. It’s to do with bash and Apple will likely issue a software update at some point. It’s possible to fix it by manually compiling bash too, so it’s not like you have to wait for Apple.

  • This is there in all Linux based machine.
    Debian/Ubuntu etc have released an update for 2 packages which resolves this issue.

    • DogeCoin

      Supposedly ubuntu/ debain based are “safe” due to programes using dash instead of bash (the user launched terminal uses bash, but internal stuff uses dash) never the less, there are still patches.

  • Jared

    Mine says vulnerable as well 🙁

    • rockdude094

      Not a good idea to let ppl know ..

      • Ian Leon

        i wonder what his IP is lol

      • Kamal Ahmad

        Unless they got his skype or email to DOX him, I doubt they can do anything.

  • Ian Leon

    How do we know you’re not malicious hackers who hacked iDB and are trying to get us to run some weird command line

    • Have you even looked at the code? Its just bash and echo commands.

      • Ian Leon

        Idk Unix command lines

  • Al Fresco

    Mine says vulnerable too….
    I’m turning off printer and screen sharing as well as file sharing on my mac. Remote login has never been on.

  • Hyr3m

    LawL 😀 What a great weak for Apple ! (Pun intended)

  • Luke

    This is probably easy to patch, the bending issue for the 6’s isnt.

  • Adam

    This, Bending iPhones, iOS 8.0.1. What else Apple? Get your things together man! This isn’t the Apple Steve Jobs wanted to continue on working on. This is truly the Tim Cook era and it’s being a total disaster.

    • Neil Sardesai

      This affects all Unix-based systems. Furthermore, Bash has been ported over to Windows, Android, and other systems too.
      So yeah. This isn’t Apple’s fault.

      iOS 8.0.1 however…

      • Joseph

        Just tested it on my iPad Air on 7.1.2. Reported as vulnerable.

      • veggiedude

        And the bendy thing affects all phablets too.

      • mrgerbik

        just tested on ubuntu 12.04 – no issue – so no, not *all* unix based systems are affected

      • DogeCoin

        Ubuntu has already been patched.

    • Kye W

      Apple doesn’t make bash.

  • Ricky

    Phew, it says Hello. I’m fine here

  • mark

    Linux has fixed this, before I even read the article.

  • Marcus

    My Mac is vulnerable and I have File Sharing, Remote Login, and Remote Management all turned on… Goodbye to all that!