'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

terminalicon2 Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.

Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Top Rated Comments

Eweie Avatar
93 months ago
strike three. you're out...
now what?
*still waiting for iPhone + Apple Watch*
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Score: 33 Votes (Like | Disagree)
fluchtpunkt Avatar
93 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.

If only Bash would have been open source so people could search bugs in the source code


/s
Score: 31 Votes (Like | Disagree)
fluchtpunkt Avatar
93 months ago
No, as far as I have seen so far the first initial patch didn't actually fix the problem. The fact is that the bug was publicly disclosed yesterday, and you are ranting because there is no patch today, as of yet.
The bug is fixed. The patch is available. Apple could have rolled it out by now.

The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.

http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052

Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.

Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Score: 8 Votes (Like | Disagree)
Slix Avatar
93 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
Score: 8 Votes (Like | Disagree)
CyBeRino Avatar
93 months ago
- iCloud hacks
Last month.


- iOS 8 issues
- iOS 8.0.1 issues
Ok.


- Bentgate
Physics.


- HealthKit issues
Part of 'iOS 8 issues'.


- iPhone 6 RAM issues
Not an issue at all, just some idiots who think RAM is free.


- Free U2 Album issues
Weeks ago.


- Restricted NFC chip
Not an issue, just a business decision that not everyone agrees with.


- Keynote streaming issues
Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.
Score: 7 Votes (Like | Disagree)
foobarbaz Avatar
93 months ago
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
Score: 7 Votes (Like | Disagree)

Related Stories

studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
airtag in hand

Apple Enhancing AirTags Anti-Stalking Measures With Android App and Shorter Sound Intervals

Thursday June 3, 2021 11:10 am PDT by
Apple is enhancing AirTags security to prevent stalking using the Bluetooth devices, Apple told CNET today. Apple is already sending out over-the-air updates to AirTags that will shorten the amount of time before an unknown AirTag alerts you if it is in your possession. At the current time, AirTags play a sound after three days of being away from their owner. After the update, AirTags will...
maxresdefault

Here's How Apple's New iPhone to iPhone Data Migration Feature Works in iOS 12.4

Tuesday July 23, 2019 1:20 pm PDT by
Apple this week released iOS 12.4, the newest version of iOS 12 available for iPhones and iPads. One of the new features in iOS 12.4 is an updated data migration option that uses device to device transfers rather than relying on iCloud. Apple didn't provide much information on the new data migration feature, so we thought we'd check it out in our latest YouTube video. Subscribe to the ...
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
macos catalina legacy system extension alert

Apple Begins Warning Users That 'Legacy System Extensions' Won't Work With a Future Version of macOS

Wednesday March 25, 2020 9:53 am PDT by
Apple has shared a new support document that indicates kernel extensions — which it calls "legacy system extensions" — will not be compatible with a future version of macOS because they "aren't as secure or reliable as modern alternatives."System extensions are a category of software that works in the background to extend the functionality of your Mac. Some apps install kernel extensions, which...
os x mountain lion macs 16x9 2

Apple Makes OS X Lion and Mountain Lion Free to Download

Wednesday June 30, 2021 12:19 pm PDT by
Apple recently dropped the $19.99 fee for OS X Lion and Mountain Lion, making the older Mac updates free to download, reports Macworld. Apple has kept OS X 10.7 Lion and OS X 10.8 Mountain Lion available for customers who have machines limited to the older software, but until recently, Apple was charging $19.99 to get download codes for the updates. As of last week, these updates no...
airtag precision finding

AirTag Includes U1 Chip for 'Precision Finding' Feature

Tuesday April 20, 2021 12:11 pm PDT by
Apple's long-awaited AirTag was finally unveiled today, and as expected, the small circle-shaped accessories can be attached to items like wallets, keys, and more to allow them to be tracked in the Find My app. As was rumored ahead of release, each AirTag is equipped with a U1 chip, and on devices that also have U1 chips, there's a Precision Finding feature. U1 Ultra Wideband chips are...
iOS 15 General Feature Yellow

Everything New in iOS 15 Beta 6: SharePlay Disabled, Safari Redesigned and More

Tuesday August 17, 2021 2:12 pm PDT by
Apple released the sixth beta of iOS 15 just a week after the fifth beta, but the new update brings some of the most significant tweaks that we've seen to iOS 15 during the beta testing period. Safari Redesign Apple in iOS 15 beta 6 has added a toggle to move the Safari address bar to the top of the interface, which returns Safari to an iOS 14-like design and mitigates all of the Safari...
m1 macbook air

Kuo: Mini-LED MacBook Air Coming in Mid-2022

Thursday July 22, 2021 7:48 pm PDT by
Apple will release a new version of the MacBook Air around the middle of 2022, Apple analyst Ming-Chi Kuo said today in note to investors seen by MacRumors. The upcoming MacBook Air will feature a 13.3-inch mini-LED display, which would make it the second Mac to gain mini-LED technology after the 2021 MacBook Pro, which is rumored to include a mini-LED display and is expected to launch later ...
2016 macbook pro flexgate b

Apple Faces Another Class-Action MacBook Pro ‘Flexgate’ Lawsuit

Thursday August 20, 2020 6:43 am PDT by
Another class-action complaint has been lodged against Apple, which claims that the company was aware of a MacBook Pro design flaw that caused some devices to have backlight display issues (via Apple Insider). The so-called "flexgate" problem was present in some MacBook Pro models manufactured between 2016 and 2017. The problem appears as dark patches along the bottom of the MacBook Pro's...