Shell Shock (System Preferences 001)

A fix for a new kind of exploit recently discovered in the Bash command shell used in multiple versions of Unix is underway, Apple confirmed Friday, adding that the “vast majority” of Mac users are unaffected because OS X is “safe by default” from the so-called ‘Shell Shock’ attacks.

“The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities,” an Apple spokesperson said in a statement quoted by The Verge.

The vulnerability was documented and publicized Thursday by security researchers at RedHat and gained prominences after security expert Robert Graham called it “as big as the Heartbleed bug,” referring to a nasty vulnerability discovered earlier in the year in the OpenSSL software commonly used by nearly two-thirds of servers powering the Internet.

Bash is the popular Unix command shell and because Apple’s OS X is based on the strong foundation of UNIX, the utility is included in OS X.

While acknowledging that many flavors of Unix, OS X included, have a weakness that could allow unauthorized users to remotely gain control of vulnerable systems, Apple did underscore that OS X systems are “safe by default” and ”not exposed” to remote exploits of Bash “unless users configure advanced Unix services”.

To check if your Mac computer is vulnerable, paste the following into the Terminal window (you can find the Terminal app inside your Mac’s Applications folder):

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If the output says ‘vulnerable’, your Mac is exploitable.

If it says:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

then you’re safe.

Several variants of Linux already have patches available, and a fix for OS X is underway, Apple said.

“We are working to quickly provide a software update for our advanced Unix users,” said the Cupertino firm.

The impatient types who know their way around Terminal can fix the problem themselves by compiling a new, patched Bash version, as outlined in a detailed tutorial in this Stack Exchange thread.

[The Verge]

  • Kenneth Plas

    it says ‘vulnerable hello’ what now

    • #Destiny

      ^^^^

  • John Wolf

    Mine says, “vulnerable” looks like I’ll have to tone back the porn a bit

    • John Wolf

      Really though, I’m not running a server and I’m only truly vulnerable if someone I do not know can remotely access my machine & do so in a way where a Bash command can be executed. I think I’ll just keep doing what I usually do and wait for the inevitable fix.

  • justme

    I use Windows, I’m vulnerable since the beginning of the times…

    • Don’t worry, at least you’re aware that nothing is unhackable and you’re not playing the security by obscurity game…unlike some people.

  • Chris

    I don’t understand why everyone keeps making this out to be an huge deal with OS X, if you don’t connect to insecure Wi-Fi hotspots, don’t use RDC and don’t have port 22 open with a weak password you have nothing to fear.

    If you do have RDC turned on and do have a weak password then you will either want to use a stronger password or use a service such as Teamviewer.

    Also you’re more likely to get caught out by a phishing scam at this point than a rouge hacker attempting to brute force their way into your Mac via your IP address.

    • Pretty much. You can fix it yourself anyway as long as you have the Xcode command line tools installed.

      • Chris

        At this point there isn’t any reason or justification to update manually unless you absolutely need external access to terminal, Apple will release a patch and everything on the OS X side of things will be fine.

        We need to stop hyping up this story and explain in newbie speak how to stay safe which is a general problem in itself, scaring millions of people by saying there’s a massive vulnerability isn’t solving anything.

  • Rohit

    My sources say the fix is readied by the same people who coded iOS 8.0.1…Nothing to fear..

    • I’m guessing you’re being sarcastic but a fix already exists just not from Apple. Of course an official software update likely won’t take too long…

  • Khalid Tahhan

    The question is are our modems and routers vulnerable? Someone can install a sniffer on them and still trace not just your mac but anything you do on the net. Or do i have this miss understood