'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

terminalicon2 Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.

Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Top Rated Comments

Eweie Avatar
84 months ago
strike three. you're out...
now what?
*still waiting for iPhone + Apple Watch*
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Score: 33 Votes (Like | Disagree)
fluchtpunkt Avatar
84 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.

If only Bash would have been open source so people could search bugs in the source code


/s
Score: 31 Votes (Like | Disagree)
fluchtpunkt Avatar
84 months ago
No, as far as I have seen so far the first initial patch didn't actually fix the problem. The fact is that the bug was publicly disclosed yesterday, and you are ranting because there is no patch today, as of yet.
The bug is fixed. The patch is available. Apple could have rolled it out by now.

The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.

http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052

Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.

Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Score: 8 Votes (Like | Disagree)
Slix Avatar
84 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
Score: 8 Votes (Like | Disagree)
CyBeRino Avatar
84 months ago
- iCloud hacks
Last month.


- iOS 8 issues
- iOS 8.0.1 issues
Ok.


- Bentgate
Physics.


- HealthKit issues
Part of 'iOS 8 issues'.


- iPhone 6 RAM issues
Not an issue at all, just some idiots who think RAM is free.


- Free U2 Album issues
Weeks ago.


- Restricted NFC chip
Not an issue, just a business decision that not everyone agrees with.


- Keynote streaming issues
Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.
Score: 7 Votes (Like | Disagree)
foobarbaz Avatar
84 months ago
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
Score: 7 Votes (Like | Disagree)

Top Stories

jon prosser imac 2021colors

Prosser: 2021 iMac to Come in Five Colors, Apple Silicon Mac Pro to Resemble 'Stacked' Mac Minis

Wednesday February 24, 2021 7:26 am PST by
Hit-and-miss leaker Jon Prosser has today alleged that the upcoming 2021 iMac models will offer five color options, mirroring the colors of the fourth-generation iPad Air, and revealed a number of additional details about the Mac Pro with Apple Silicon. In a new video on YouTube channel FrontPageTech, Prosser explained that the redesigned iMacs will come featuring options for Silver, Space ...
First Look Big Sur Feature2

Apple Releases macOS Big Sur 11.2.2 to Prevent MacBooks From Being Damaged by Third-Party Non-Compliant Docks

Thursday February 25, 2021 10:07 am PST by
Apple today released macOS Big Sur 11.2.2, the fourth update to the macOS Big Sur operating system that launched in November. macOS Big Sur 11.2.2 comes two weeks after the release of macOS Big Sur 11.2.1, a bug fix update. The new ‌‌‌‌macOS Big Sur‌‌‌ 11.2.2‌ update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences....
microsoft edge ios android

Bill Gates Says His Preference for Android Over iPhone is Due to Pre-Installed Software

Friday February 26, 2021 3:35 am PST by
Microsoft co-founder Bill Gates this week participated in his first meeting on Clubhouse, the increasingly popular invite-only conversation app, where he fielded a range of questions as part of an ongoing book tour. Gates was interviewed by journalist Andrew Ross Sorkin, and given that the Clubhouse app is currently only available on iOS, naturally one of the questions that came up was...
flat mbp 14 inch feature yellow

Redesigned 14-Inch MacBook Pro Expected to Feature Brighter Mini-LED Display With Slimmer Bezels and More

Thursday February 25, 2021 7:48 am PST by
Apple plans to unveil new 14-inch and 16-inch MacBook Pro models with Mini-LED-backlit displays in the second half of this year, according to industry sources cited by Taiwanese supply chain publication DigiTimes. The report claims that Radiant Opto-Electronics will be the exclusive supplier of the Mini-LED backlight units, while Quanta Computer is said to be tasked with final assembly of the...
m1 mac mini

M1 Mac Users Report Excessive SSD Wear

Tuesday February 23, 2021 7:07 am PST by
Over the past week, some M1 Mac users have been reporting alarming SSD health readings, suggesting that these devices are writing extraordinary amounts of data to their drives (via iMore). Across Twitter and the MacRumors forums, users are reporting that M1 Macs are experiencing extremely high drive writes over a short space of time. In what appear to be the most severe cases, M1 Macs are sai...
steam apple logo

Valve Ordered to Give Apple Information on 436 Steam Games As Part of Epic Games Legal Case

Thursday February 25, 2021 1:50 am PST by
Valve, the makers behind popular game distribution platform Steam, will be forced to hand over aggregate historical sales, price, and other information on 436 games hosted on the store to Apple, as part of the Apple vs. Epic Games antitrust case. As reported in a paywalled report by Law360, during a virtual discovery hearing on Wednesday, U.S. Magistrate Judge Thomas S. Hixson ordered that...
2021 mbp sd slot feature2

Kuo: New MacBook Pro Models With HDMI Port and SD Card Reader to Launch Later This Year

Monday February 22, 2021 8:52 pm PST by
Apple plans to release two new MacBook Pro models equipped with an HDMI port and SD card reader in the second half of 2021, according to analyst Ming-Chi Kuo, who outlined his expectations in a research note obtained by MacRumors. The return of an SD card reader was first reported by Bloomberg's Mark Gurman last month. "We predict that Apple's two new MacBook Pro models in 2H21 will have...
apple store macarthur center

Apple Store at MacArthur Center in Virginia Permanently Closing Following Years of Safety Issues at Shopping Mall

Thursday February 25, 2021 4:45 pm PST by
Apple today indicated that its retail store at the MacArthur Center shopping mall in Norfolk, Virginia will be permanently closing after over 14 years of business, although an exact closure date has yet to be announced by the company. Apple has assured that it will be offering all employees at the store other positions within Apple, and said that it looks forward to continuing to serve...
qualcomm snapdragon x60 5g

iPhone 13 Lineup Expected to Use Qualcomm's Snapdragon X60 Modem With Several 5G Improvements

Wednesday February 24, 2021 8:10 am PST by
Apple's next-generation iPhone 13 lineup will use Qualcomm's Snapdragon X60 5G modem, with Samsung to handle manufacturing of the chip, according to DigiTimes. Built on a 5nm process, the X60 packs higher power efficiency into a smaller footprint compared to the 7nm-based Snapdragon X55 modem used in iPhone 12 models, which could contribute to longer battery life. With the X60 modem, iPhone...
anker magsafe powercore battery pack

Anker Releases MagSafe-Compatible Battery Pack for iPhone 12 Lineup

Tuesday February 23, 2021 7:49 am PST by
Following rumors that Apple is working on a MagSafe battery pack for iPhone 12 models, popular accessory maker Anker has beaten Apple to the punch with the release of its PowerCore Magnetic 5K Wireless Power Bank. First previewed at CES 2021, the PowerCore battery pack magnetically attaches to the back of any iPhone 12 model and provides 5W of wireless charging. With a 5,000 mAh capacity,...