'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

terminalicon2 Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.

Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Popular Stories

Generic iOS 18 Feature Real Mock

Apple Shares Full List of Over 250 New Features and Changes Coming With iOS 18

Wednesday September 11, 2024 7:16 am PDT by
Following its iPhone 16 event on Monday, Apple shared a PDF on its website with a list of all new features and changes coming with iOS 18. The list includes many features that were already announced, including Apple Intelligence, new customization options for the Home Screen and Control Center, a redesigned Photos app, several enhancements to the Messages app, a Passwords app, and more....
iphone 16 pro pro max

First iPhone 16 Carrier Deals Include iPhone 16/16 Pro For Free, $1,000 Off iPhone 16 Pro Max

Monday September 9, 2024 3:18 pm PDT by
Apple today announced the latest lineup of iPhones, including the iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max. Pre-orders for these devices begin September 13, and if you plan on ordering from a cellular carrier in the United States, there will be plenty of options for discounts from the major carriers. AT&T is offering the iPhone 16 and iPhone 16 Pro at no cost with...
iphone 16 pro models 1

Skipping the iPhone 16 Pro? Here's What's Rumored for iPhone 17 Pro

Wednesday September 11, 2024 8:20 am PDT by
Will you be skipping the iPhone 16 Pro and waiting another year to upgrade? If so, we already have some iPhone 17 Pro rumors for you. Below, we recap key new features rumored for the iPhone 17 Pro models so far: 24MP front camera for all iPhone 17 models: All four iPhone 17 models will feature an upgraded 24-megapixel front-facing camera, according to Apple supply chain analysts Ming-Chi...
iphone 16 lineup colors

Apple Discontinues iPhone 15 Pro, iPhone 15 Pro Max and iPhone 13

Monday September 9, 2024 2:09 pm PDT by
With the launch of the new iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max, Apple has discontinued some of its older iPhones. As of today, Apple is no longer selling the iPhone 13, and the iPhone 15 Pro and iPhone 15 Pro Max have been replaced with the iPhone 16 Pro and iPhone 16 Pro Max. The iPhone SE remains as Apple's most affordable device, with the iPhone 14 and iPhone...
16 pro

Apple Announces iPhone 16 Pro and iPhone 16 Pro Max with Larger Displays, New Camera Control, and More

Monday September 9, 2024 11:13 am PDT by
Apple today announced the iPhone 16 Pro and iPhone 16 Pro Max—its latest flagship smartphones—featuring larger displays, an all-new Camera Control button, and the A18 Pro chip. The iPhone 16 Pro has a 6.3-inch display, while the iPhone 16 Pro Max features a 6.9-inch display—the biggest iPhone display ever. The borders around the display are the thinnest of any Apple device. The...
airpods pro 2 pink

Apple Releases New AirPods Pro 2 Firmware With Support for iOS 18 Features

Tuesday September 10, 2024 11:40 am PDT by
Apple today released a new firmware update for the AirPods Pro 2, including both the Lightning and USB-C versions. The firmware has a build number of 7A294, up from 6F8, and it is available for all AirPods Pro 2 users. Apple has been beta testing this update, but it is launching ahead of when iOS 18 becomes available next Monday. There are multiple features that Apple is adding to the...
maxresdefault

Everything Apple Announced at Today's Event in 13 Minutes

Monday September 9, 2024 6:02 pm PDT by
Apple today held the "It's Glowtime" fall event to debut new iPhone 16 models, a new version of the Apple Watch, new AirPods, and more. It took Apple more than an hour and a half to introduce the new devices, but we've recapped everything in a quick 13 minute video for our readers who want a short but detailed overview of what's new. Subscribe to the MacRumors YouTube channel for more videos. ...

Top Rated Comments

Eweie Avatar
130 months ago
strike three. you're out...
now what?
*still waiting for iPhone + Apple Watch*
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Score: 33 Votes (Like | Disagree)
fluchtpunkt Avatar
130 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.

If only Bash would have been open source so people could search bugs in the source code


/s
Score: 31 Votes (Like | Disagree)
fluchtpunkt Avatar
130 months ago
No, as far as I have seen so far the first initial patch didn't actually fix the problem. The fact is that the bug was publicly disclosed yesterday, and you are ranting because there is no patch today, as of yet.
The bug is fixed. The patch is available. Apple could have rolled it out by now.

The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.

http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052

Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.

Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Score: 8 Votes (Like | Disagree)
Slix Avatar
130 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
Score: 8 Votes (Like | Disagree)
CyBeRino Avatar
130 months ago
- iCloud hacks
Last month.


- iOS 8 issues
- iOS 8.0.1 issues
Ok.


- Bentgate
Physics.


- HealthKit issues
Part of 'iOS 8 issues'.


- iPhone 6 RAM issues
Not an issue at all, just some idiots who think RAM is free.


- Free U2 Album issues
Weeks ago.


- Restricted NFC chip
Not an issue, just a business decision that not everyone agrees with.


- Keynote streaming issues
Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.
Score: 7 Votes (Like | Disagree)
foobarbaz Avatar
130 months ago
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
Score: 7 Votes (Like | Disagree)