'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services
Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.
Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.
Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.
Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.
A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.
Popular Stories
Earlier this week, The Information's Wayne Ma outlined struggles that Apple has faced during the development of its long-rumored AR/VR headset. Now, in a follow-up report, he has shared several additional details about the wearable device. Apple headset render created by Ian Zelbo based on The Information reporting For starters, one of the headset's marquee features is said to be lifelike...
With around four months to go before Apple is expected to unveil the iPhone 14 lineup, the overwhelming majority of rumors related to the new devices so far have focused on the iPhone 14 Pro, rather than the standard iPhone 14 – leading to questions about how different the iPhone 14 will actually be from its predecessor, the iPhone 13.
The iPhone 14 Pro and iPhone 14 Pro Max are expected...
Sony this week came out with an updated version of its popular over-ear noise canceling headphones, so we picked up a pair to compare them to the AirPods Max to see which headphones are better and whether it's worth buying the $400 WH-1000XM5 from Sony over Apple's $549 AirPods Max.
Subscribe to the MacRumors YouTube channel for more videos. First of all, the AirPods Max win out when it comes ...
Apple now plans to release a new 27-inch display with mini-LED backlighting in October due to the Shanghai lockdown, which has resulted in production of the display being delayed, according to display industry consultant Ross Young.
In a tweet, Young said Apple is in the process of moving production of the display from Quanta Computer to a different supplier and/or location, resulting in a...
Apple is working on an updated version of the HomePod that could come in the fourth quarter of 2022 or the first quarter of 2023, according to Apple analyst Ming-Chi Kuo. Kuo says that there "may not be much innovation in hardware design" for the new HomePod, and there is no word on what size the device will be and if it will be a HomePod mini successor or a larger speaker. Apple would ...
Solid markdowns on the AirTag, AirPods 3, and a few iPad models were introduced this week, and below you'll find all of the best deals of the past few days that are still available to purchase.
AirTag
Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running.
What's the...
Top Rated Comments
If only Bash would have been open source so people could search bugs in the source code
/s
The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.
http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052
Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.
Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Ok.
Physics.
Part of 'iOS 8 issues'.
Not an issue at all, just some idiots who think RAM is free.
Weeks ago.
Not an issue, just a business decision that not everyone agrees with.
Weeks ago. (Though otherwise valid.)
So yeah, not too bad at all.
This problem primarily affects things running a (web) server.
Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.