U.S. government warns of Bash flaw affecting Apple’s OS X, other Unix-based systems

“The U.S. government has joined an array of researchers warning of a security flaw that could allow hackers to access devices ranging from computers to video cameras and steal data,” Tim Culpan reports for Bloomberg. “A vulnerability in some Unix-based systems, such as Linux and Mac OS X, ‘may allow a remote attacker to execute arbitrary code on an affected system,’ the U.S. Department of Homeland Security’s Computer Emergency Readiness Team said in a statement on its website. Systems administrators can fix the flaw with a patch, it said.”

“The vulnerability affects Bourne again shell, or Bash, one of the most widely installed pieces of software on any Linux system, software maker Red Hat Inc. said in a statement on its security blog. The vulnerability, dubbed Shell Shock, could let hackers insert extra code into a computer leading to data theft or the crashing of networks,” Culpan reports. “‘Today’s bash bug is as big a deal as Heartbleed,’ Robert Graham of Errata said in an earlier blog post yesterday, noting that Internet-of-things devices such as video cameras are also vulnerable. ‘The bug interacts with other software in unexpected ways.'”

Culpan reports, “Carolyn Wu, a Beijing-based spokeswoman for Apple, didn’t immediately return phone calls and an e-mail today. Apple’s Trudy Muller, based in Cupertino, California, didn’t respond to an e-mail after normal business hours.”

Read more in the full article here.

MacDailyNews Take: The hits just keep on comin’!

26 Comments

    1. Be careful what you take on! The patch itself could be the Trojan Horse that allows certain agencies the ability to circumvent Apple’s latest defenses. Naming other Unix users could be a distraction to avert you from my conclusion.
      On the hand, I always wear a tin foil hat! That is why I can think as clearly as everyone else wearing a tin foil hat.

      Ps. October has been dubbed “Stoptober”! The month when we are to be encouraged to stop engaging in certain vices. I for one am giving up Tin Foil Hats. 🙂

  1. Once again, the media will spin this as Apple’s problem and “the problems keep hitting Apple,” despite the fact that this problem clearly hits Unix and Linux of different flavors.

    Sadly, public perception is a strong force to reckon with and, lies spread fast and furious, while truths are met with speculation and ditrust.

    1. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:

      Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
      CentOS (versions 5 through 7)
      Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
      Debian

      As of today, Apple’s OS X (our computers) remain vunerable.

      The fact that a patch hasn’t been issued by Apple IS AN APPLE PROBLEM.

  2. What is it with MDN takes lately, this isn’t Apple’s fault, and the so called vulnerability is wide spread, and would take direct access to implement near as I can tell.. MDN is taking their Apple bashing to new lows.. Sure, sometimes Apple deserves some bashing, but most of the time, its something they cannot control.

        1. I use Mac OS X, Linux, and Bash on a daily basis for my work, and I have no idea what pedantic distinction you are even trying to make.

          “Based on Unix” but not “Unix-based” – what could that even possibly mean, in any practical context? Did that even make sense to you when you wrote that?

            1. Okay….. I can’t help but wonder, what does the vague and non-certified label “Unix-like” have to do with any of this?

              I have not seen any mention of “Unix-like” in your previous comments, this article, or in anything written about Shellshock.

              Shellshock is a vulnerability is Bash, a specific piece of software installed on nearly every Unix-based operating system. How is the intentionally vague “Unix-like” designation in any way relevant?

    1. Couple of reasons for concern:
      – Not every system administrator will be able install the patch in time
      – Not every major affected OS even has the patch available for download, such as Fedora and OS X
      – Many old systems might not have the ability to install the patch
      – There are doubts the current patch even works 100%
      – Unpatched systems could be used to launch DDOS attacks, which can target any website regardless of whether that site is patched or not.

  3. So run an update and close Bash where it isn’t needed. If it is required to be open then a fix will be required.
    As long as Apple investigate and respond to this in a timely manner then they will minimize the potential impact. If they choose to ignore this then they will be open to criticism. Apple can send updates and very quickly patch most users.
    I am more worried about vendor websites that hold my credit card information and whether they update their systems once a fix for a vulnerability is found.

      1. That’s because they have already fixed it and Apple is still dragging its ass. The patch probably wasn’t pretty enough for Jony to approve. Apple has a patch for OSX (in another article on the web), but didn’t include it in 10.9.5 that just came out. Why? I guess they were too busy celebrating Thanksgiving early.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.