iMore‘s Rene Ritchie reports that the vast majority of OS X users safe from the ‘Shellshock’ bash exploit and that a patch is coming quickly for advanced Unix users:
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
Read more in the full article here.
Related articles:
The Bash ‘Shellshock’ bug and workaround – September 25, 2014
U.S. government warns of Bash flaw affecting Apple’s OS X, other Unix-based systems – September 25, 2014
OMG thank you, btw is in app browser a good idea?
btw – what is an “advanced” UNIX user? I have a terminal window open all the time…but I’d never consider myself “advanced”.
Really? Why? I must admit I have no idea why you would need to have a terminal window open “all the time.”
I also keep a terminal open all day at work. For myself I use it for Alpine, ping, nslookup, tracerouts, whois just to name a few.
If you’re running OS X Server, using the Terminal for server commands and monitoring can still be very useful.
But the Bash exploits are only immediately relevant to OS X servers exposed to the Internet.
You should be fine, as far as remote attack goes.
The real problem is when something that runs a bash shell script is exposed to an outsider – they can hijack whatever the script was supposed to do and inject an arbitrary command.
If your computer is sitting there with a terminal window open and your screen isn’t locked, there doesn’t need to be a vulnerability in Bash for your computer to be vulnerable – an attacker can just sit down and type rm ~/ -rf
🙂
You are correct, that is why every time I leave my desk the mac is locked.
I would also like to know what is considered as an advance user. I regularly use Command Line Development Tools for coding. As well I sometimes, ssh into the schools system.
Though I would also never consider myself advanced.
Been a Mac user since 1987 but have no idea what you lot are going on about so sounds pretty advanced to me compared to the over whelming number of ordinary users who wouldn’t dream of doing what you lot are doing but just get on with their work.
Well, it’s NOT exactly useful to say ‘majority of OS X users are safe’ from the Bash exploits. I strongly suspect Trojan horses will show up that make use of them.
But certainly for now, the immediate Bash problems affect OS X servers exposed to the Internet. And I strongly suspect a bug-free (fur shur this time!) version of Bash will be coded and swiftly provided to OS X users. The lingering problem will be on legacy OS X servers that are beyond Apple’s interest in patching. Admins for those servers are going to have to DIY update Bash. And if they’re still running old versions of OS X on servers, they’re not likely to bother. So, no doubt we’ll hear of related PWNings in the future.