'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

terminalicon2 Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.

Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Top Rated Comments

Eweie Avatar
111 months ago
strike three. you're out...
now what?
*still waiting for iPhone + Apple Watch*
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Score: 33 Votes (Like | Disagree)
fluchtpunkt Avatar
111 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.

If only Bash would have been open source so people could search bugs in the source code


/s
Score: 31 Votes (Like | Disagree)
fluchtpunkt Avatar
111 months ago
No, as far as I have seen so far the first initial patch didn't actually fix the problem. The fact is that the bug was publicly disclosed yesterday, and you are ranting because there is no patch today, as of yet.
The bug is fixed. The patch is available. Apple could have rolled it out by now.

The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.

http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052

Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.

Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Score: 8 Votes (Like | Disagree)
Slix Avatar
111 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
Score: 8 Votes (Like | Disagree)
CyBeRino Avatar
111 months ago
- iCloud hacks
Last month.


- iOS 8 issues
- iOS 8.0.1 issues
Ok.


- Bentgate
Physics.


- HealthKit issues
Part of 'iOS 8 issues'.


- iPhone 6 RAM issues
Not an issue at all, just some idiots who think RAM is free.


- Free U2 Album issues
Weeks ago.


- Restricted NFC chip
Not an issue, just a business decision that not everyone agrees with.


- Keynote streaming issues
Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.
Score: 7 Votes (Like | Disagree)
foobarbaz Avatar
111 months ago
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
Score: 7 Votes (Like | Disagree)

Popular Stories

maxresdefault

Apple Announces WWDC 2023 Event Taking Place June 5 to 9

Wednesday March 29, 2023 9:58 am PDT by
Apple today announced that its 34th annual Worldwide Developers Conference will take place from Monday, June 5 to Friday, June 9. Like WWDC 2020, 2021, and 2022, WWDC 2023 will be an online event for the most part, and it will be open to all developers at no cost. Subscribe to the MacRumors YouTube channel for more videos. Apple will provide online sessions and labs, which will allow...
iPhone 15 Pro Buttons CAD Leak

iPhone 15 Pro Low-Energy Chip to Allow Solid-State Buttons to Work When Device is Off or Out of Battery

Wednesday March 29, 2023 1:54 am PDT by
The iPhone 15 Pro and Pro Max will use a new ultra-low energy microprocessor allowing certain features like the new capacitive solid-state buttons to remain functional even when the handset is powered off or the battery has run out, according to a source that shared details on the MacRumors forums. CAD-based render of new solid-state buttons on iPhone 15 Pro models The source of this rumor is ...
CarPlay Phone Call

General Motors to Phase Out Apple CarPlay Starting This Year in EV Transition

Friday March 31, 2023 8:43 am PDT by
General Motors (GM) will phase out Apple CarPlay and Android Auto in its vehicles starting this year, shifting to a built-in infotainment system co-developed with Google (via Reuters). GM owns Buick, Cadillac, Chevrolet, and GMC in the United States. It will stop offering Apple CarPlay and Android Auto starting with the 2024 Chevrolet Blazer, which goes on sale this summer. The company plans ...
iPhone 15 Pro Multi Purpose button Mute Switch Feature Green 2

iPhone 15 Pro Rumored to Feature Multi-Use Action Button Instead of Mute Switch

Wednesday March 29, 2023 7:28 am PDT by
iPhone 15 Pro and iPhone 15 Pro Max models are rumored to feature a customizable Action button like the Apple Watch Ultra, according to a MacRumors forum member who leaked accurate details about the Dynamic Island on iPhone 14 Pro models last year. The source claimed the Action button will replace the Ring/Silent switch that has been included on every iPhone model since 2007. They did not...
iOS 16

iOS 16.4 Now Available for Your iPhone With These 8 New Features

Friday March 31, 2023 8:55 am PDT by
Following six weeks of beta testing, iOS 16.4 was released to the public this week. The software update includes a handful of new features and changes for the iPhone 8 and newer. To install an iOS update, open the Settings app on the iPhone, tap General → Software Update, and follow the on-screen instructions. Below, we have recapped eight new features and changes added with iOS 16.4,...
iOS 17 on Phone Feature

Three New iOS Features Coming to Your iPhone Following Apple Music Classical

Thursday March 30, 2023 7:13 am PDT by
With the Apple Music Classical app and an Apple Pay Later early access program now available, the list of previously-announced iOS features that have yet to launch is beginning to shrink. However, there are still a few features we are waiting for. Below, we have recapped three more iOS features that are expected to launch in 2023, including an Apple Card savings account for Daily Cash,...
apple mixed reality headset concept by david lewis and marcus kane

Kuo: Apple Mixed-Reality Headset May Not Appear at WWDC as Mass Production Pushed Back Yet Again

Thursday March 30, 2023 4:50 am PDT by
Apple has again pushed back mass production of its mixed-reality headset and the device may not appear at this year's Worldwide Developers Conference (WWDC), Apple analyst Ming-Chi Kuo today said. Apple headset concept by David Lewis and Marcus Kane In a tweet, Kuo explained that Apple "isn't very optimistic" about whether the headset will be able to create an "iPhone moment." As a result,...