'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

by

terminalicon2 Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.

Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Top Rated Comments

Eweie Avatar
Eweie
86 months ago
strike three. you're out...
now what?
*still waiting for iPhone + Apple Watch*
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Score: 33 Votes (Like | Disagree)
fluchtpunkt Avatar
fluchtpunkt
86 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.

If only Bash would have been open source so people could search bugs in the source code


/s
Score: 31 Votes (Like | Disagree)
fluchtpunkt Avatar
fluchtpunkt
86 months ago
No, as far as I have seen so far the first initial patch didn't actually fix the problem. The fact is that the bug was publicly disclosed yesterday, and you are ranting because there is no patch today, as of yet.
The bug is fixed. The patch is available. Apple could have rolled it out by now.

The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.

http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052

Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.

Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Score: 8 Votes (Like | Disagree)
Slix Avatar
Slix
86 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
Score: 8 Votes (Like | Disagree)
CyBeRino Avatar
CyBeRino
86 months ago
- iCloud hacks
Last month.


- iOS 8 issues
- iOS 8.0.1 issues
Ok.


- Bentgate
Physics.


- HealthKit issues
Part of 'iOS 8 issues'.


- iPhone 6 RAM issues
Not an issue at all, just some idiots who think RAM is free.


- Free U2 Album issues
Weeks ago.


- Restricted NFC chip
Not an issue, just a business decision that not everyone agrees with.


- Keynote streaming issues
Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.
Score: 7 Votes (Like | Disagree)
foobarbaz Avatar
foobarbaz
86 months ago
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
Score: 7 Votes (Like | Disagree)
Read All Comments

Top Stories

tile sticker e1570533758981

Tile CEO: 'We Welcome Competition From Apple, But We Think It Needs to Be Fair'

Tuesday May 4, 2021 9:51 am PDT by
Just after Apple announced its AirTags, Tile CEO CJ Prober relayed his concerns about competing with Apple in the tracking space, and said that Tile would ask Congress to investigate Apple's business practices specific to Find My and item trackers. Prober this week did an interview with Bloomberg, where he further expanded on Tile's complaints about Apple and why he feels that Tile is...
Read Full Article445 comments
apple watch ecg

Apple Watch Likely to Gain Blood Pressure, Blood Glucose, and Blood Alcohol Monitoring

Monday May 3, 2021 4:03 am PDT by
The Apple Watch may gain the ability to measure blood pressure, blood glucose, and blood alcohol levels, according to newly-revealed information about one of Apple's chosen business partners. Apple has been revealed to be the largest customer of the British electronics start-up Rockley Photonics, The Telegraph reports. Rockley Photonics has developed non-invasive optical sensors for...
Read Full Article204 comments
signal instagram ads3

Signal Shares the Instagram Ads Facebook Doesn't Want You to See

Wednesday May 5, 2021 1:29 am PDT by
Encrypted messaging app Signal has had a series of Instagram ads blocked from the social media platform, after it attempted to show users how much data the Facebook-owned company collects about them and how it's used to push targeted ads. In a blog post, Signal described how it generated the ads to show users why they were seeing them, simply by declaring upfront the information that the...
Read Full Article101 comments
fortnite apple logo 2

Epic CEO Tim Sweeney Admits App Store's 30% Cut Is Similar to Consoles, Would Have Accepted Special Deal With Apple

Tuesday May 4, 2021 1:54 pm PDT by
Apple's legal battle with Epic Games is continuing on, and during the second day of the trial, Epic Games' CEO Tim Sweeney continued his testimony against Apple. Sweeney was grilled by Apple's lawyers, and made several points seemingly favorable to Apple. In addition to mentioning how he prefers Apple's iPhone and values Apple's privacy policies that he's aiming to dismantle, Sweeney...
Read Full Article205 comments
snapchat dark mode

Snapchat Rolls Out Dark Mode on iOS

Wednesday May 5, 2021 1:17 am PDT by
Nearly two years following the release of iOS and iPadOS 13, which included native, built-in, and systemwide dark mode, Snapchat, one of the world's most prominent social media networks, has finally rolled out a dark mode theme for iOS users. Snapchat began testing a dark mode theme of its app design late last year with a small group of iOS users. Now, Snapchat says that as of this week, it...
Read Full Article19 comments
maxresdefault

Hands-On With Brydge's 12.9-Inch iPad Pro Keyboard With Trackpad

Tuesday May 4, 2021 11:48 am PDT by
Brydge has been making keyboards for Apple's iPads for years now, and the newest model, the Brydge 12.9 MAX+, is compatible with the third, fourth, and fifth-generation iPad Pro models, so it works even with the new mini-LED iPad Pro. Subscribe to the MacRumors YouTube channel for more videos. In our latest YouTube video, we checked out the new Brydge 12.9 MAX+ to see if it's a viable...
Read Full Article87 comments
iphone 13 pro max dummy notch

iPhone 13 Pro Max Dummy Model Depicts Smaller Notch

Tuesday May 4, 2021 1:08 pm PDT by
Apple's iPhone 13 models are expected to feature a slimmed down notch, marking the first major change to the TrueDepth camera system since it was introduced in the 2017 iPhone X. We're still months away from the launch of the iPhone 13, but Lewis Hilsenteger of Unbox Therapy managed to get an iPhone 13 Pro Max dummy model that represents what we can expect from the new 2021 device. Dummy...
Read Full Article137 comments
Flat 2021 MacBook Pro Mockup Feature 1

Mini-LED Display Production Improving for Redesigned MacBook Pro Models Later This Year

Monday May 3, 2021 8:33 am PDT by
Apple supplier TSMT, a key vendor involved in the production of mini-LED displays in the newly announced 12.9-inch iPad Pro, has been able to address technical challenges for the production of mini-LED displays to be used in the upcoming 14 and 16-inch redesigned MacBook Pro models. As reported by DigiTimes, TSMT had initially been facing production constraints with the circuit board and...
Read Full Article128 comments
netflix sign up

Apple Discussed 'Punitive Measures' Against Netflix for Dropping In-App Purchases

Wednesday May 5, 2021 11:03 am PDT by
As the Epic Games v. Apple trial progresses into its third day, Apple's internal documents and communications with various companies are continuing to surface, giving us some insight into the dealings that Apple has had around the App Store. Back in December 2018, Netflix stopped offering in-app subscription options for new or resubscribing members and instead began requiring them to sign up ...
Read Full Article416 comments
airtags

AirTag Owners Bemoan Inability to Let Others Track Their Items Via Family Sharing

Tuesday May 4, 2021 5:12 am PDT by
Apple's new AirTag item trackers have been making their way into the hands of customers since Friday, and while the company has tried to describe the ways that they can be used to find lost items, many users are still surprised and disappointed to learn that the location of an AirTag can't be shared with other family members. On the face of it, sharing the location of an AirTag via Apple's...
Read Full Article239 comments