“The U.S. government has joined an array of researchers warning of a security flaw that could allow hackers to access devices ranging from computers to video cameras and steal data,” Tim Culpan reports for Bloomberg. “A vulnerability in some Unix-based systems, such as Linux and Mac OS X, ‘may allow a remote attacker to execute arbitrary code on an affected system,’ the U.S. Department of Homeland Security’s Computer Emergency Readiness Team said in a statement on its website. Systems administrators can fix the flaw with a patch, it said.”
“The vulnerability affects Bourne again shell, or Bash, one of the most widely installed pieces of software on any Linux system, software maker Red Hat Inc. said in a statement on its security blog. The vulnerability, dubbed Shell Shock, could let hackers insert extra code into a computer leading to data theft or the crashing of networks,” Culpan reports. “‘Today’s bash bug is as big a deal as Heartbleed,’ Robert Graham of Errata said in an earlier blog post yesterday, noting that Internet-of-things devices such as video cameras are also vulnerable. ‘The bug interacts with other software in unexpected ways.'”
Culpan reports, “Carolyn Wu, a Beijing-based spokeswoman for Apple, didn’t immediately return phone calls and an e-mail today. Apple’s Trudy Muller, based in Cupertino, California, didn’t respond to an e-mail after normal business hours.”
Read more in the full article here.
MacDailyNews Take: The hits just keep on comin’!
Doesn’t this affect Android, too?
Be careful what you take on! The patch itself could be the Trojan Horse that allows certain agencies the ability to circumvent Apple’s latest defenses. Naming other Unix users could be a distraction to avert you from my conclusion.
On the hand, I always wear a tin foil hat! That is why I can think as clearly as everyone else wearing a tin foil hat.
Ps. October has been dubbed “Stoptober”! The month when we are to be encouraged to stop engaging in certain vices. I for one am giving up Tin Foil Hats. 🙂
Once again, the media will spin this as Apple’s problem and “the problems keep hitting Apple,” despite the fact that this problem clearly hits Unix and Linux of different flavors.
Sadly, public perception is a strong force to reckon with and, lies spread fast and furious, while truths are met with speculation and ditrust.
Patches have been issued by many of the major Linux distribution vendors for affected versions, including:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian
As of today, Apple’s OS X (our computers) remain vunerable.
The fact that a patch hasn’t been issued by Apple IS AN APPLE PROBLEM.
If true, that is a fair assessment.
Still insane that the only mention of it I’ve seen on the news has been aimed directly and only at Apple OS X.
What is it with MDN takes lately, this isn’t Apple’s fault, and the so called vulnerability is wide spread, and would take direct access to implement near as I can tell.. MDN is taking their Apple bashing to new lows.. Sure, sometimes Apple deserves some bashing, but most of the time, its something they cannot control.
The author of the article doesn’t know that Unix and Linux are two different things.
Bash is the same on both.
I was referring to the author’s following statement:
“A vulnerability in some Unix-based systems, such as Linux and Mac OS X”
Linux is based on Unix, but it isn’t Unix-based.
Thank you, Captain Semantics.
I use Mac OS X, Linux, and Bash on a daily basis for my work, and I have no idea what pedantic distinction you are even trying to make.
“Based on Unix” but not “Unix-based” – what could that even possibly mean, in any practical context? Did that even make sense to you when you wrote that?
Wow. I guess you skipped class the day they taught this…
“A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification.”
Taken from http://http://en.wikipedia.org/wiki/Unix-like
Okay….. I can’t help but wonder, what does the vague and non-certified label “Unix-like” have to do with any of this?
I have not seen any mention of “Unix-like” in your previous comments, this article, or in anything written about Shellshock.
Shellshock is a vulnerability is Bash, a specific piece of software installed on nearly every Unix-based operating system. How is the intentionally vague “Unix-like” designation in any way relevant?
There already is a patch for this. So what is the big deal?
Couple of reasons for concern:
– Not every system administrator will be able install the patch in time
– Not every major affected OS even has the patch available for download, such as Fedora and OS X
– Many old systems might not have the ability to install the patch
– There are doubts the current patch even works 100%
– Unpatched systems could be used to launch DDOS attacks, which can target any website regardless of whether that site is patched or not.
So run an update and close Bash where it isn’t needed. If it is required to be open then a fix will be required.
As long as Apple investigate and respond to this in a timely manner then they will minimize the potential impact. If they choose to ignore this then they will be open to criticism. Apple can send updates and very quickly patch most users.
I am more worried about vendor websites that hold my credit card information and whether they update their systems once a fix for a vulnerability is found.
Another anti-Apple article put out by the so-called journalist hacks at Bloomberg.
There must be at least a temporary workaround that we must learn about.
from the CERT website
Operating systems with updates include:
CentOS
Debian
Redhat (link is external)
Ubuntu
No joy for OS X or iOS, but they have a really nice watch you will soon be able to order that Jony is really proud of.
This are all variants of Linux, not Unix.
That’s because they have already fixed it and Apple is still dragging its ass. The patch probably wasn’t pretty enough for Jony to approve. Apple has a patch for OSX (in another article on the web), but didn’t include it in 10.9.5 that just came out. Why? I guess they were too busy celebrating Thanksgiving early.
The bug is in BASH, shared over many OSes
Should the U.S. government also call out all of Windows flaws too?
Because that would be one lonnnggg article.
so where is their complaints about Windows. looks like Apple stock is being manipulated once again .Samsung must be sending out bundles of cash this week
CORRECTION: The vulnerability in BASH is an issue affecting UNIX and Linux. Apple OS-X is built on top of a UNIX kernel. This is something the media simply does not understand. Instead, the media prefers to infer that this is Apple’s fault, when it is a vulnerability in something that predates OS-X.
Details, details. They’re so inconvenient when you have an agenda.