'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

terminalicon2 Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.

Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Top Rated Comments

Eweie Avatar
105 months ago
strike three. you're out...
now what?
*still waiting for iPhone + Apple Watch*
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Score: 33 Votes (Like | Disagree)
fluchtpunkt Avatar
105 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.

If only Bash would have been open source so people could search bugs in the source code


/s
Score: 31 Votes (Like | Disagree)
fluchtpunkt Avatar
105 months ago
No, as far as I have seen so far the first initial patch didn't actually fix the problem. The fact is that the bug was publicly disclosed yesterday, and you are ranting because there is no patch today, as of yet.
The bug is fixed. The patch is available. Apple could have rolled it out by now.

The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.

http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052

Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.

Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Score: 8 Votes (Like | Disagree)
Slix Avatar
105 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
Score: 8 Votes (Like | Disagree)
CyBeRino Avatar
105 months ago
- iCloud hacks
Last month.


- iOS 8 issues
- iOS 8.0.1 issues
Ok.


- Bentgate
Physics.


- HealthKit issues
Part of 'iOS 8 issues'.


- iPhone 6 RAM issues
Not an issue at all, just some idiots who think RAM is free.


- Free U2 Album issues
Weeks ago.


- Restricted NFC chip
Not an issue, just a business decision that not everyone agrees with.


- Keynote streaming issues
Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.
Score: 7 Votes (Like | Disagree)
foobarbaz Avatar
105 months ago
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
Score: 7 Votes (Like | Disagree)

Popular Stories

USB C Over Lightning Feature

EU Passes Law to Switch iPhone to USB-C by End of 2024

Tuesday October 4, 2022 3:30 am PDT by
The European Parliament today voted overwhelmingly in favor of enforcing USB-C as a common charging port across a wide range of consumer electronic devices, including the iPhone and AirPods, by the end of 2024. The proposal, known as a directive, forces all consumer electronics manufacturers who sell their products in Europe to ensure that a wide range of devices feature a USB-C port. This...
ipad pro purple

Five Apple Products You Should Avoid Buying Right Now

Wednesday October 5, 2022 2:12 pm PDT by
Rumors suggest that Apple still has several new devices that are coming before the end of the year, including a range of Macs and iPads. It's not looking like we're going to get an October event in 2022, but refreshes are coming soon, probably via press release. If you're planning to buy a Mac or an iPad, make sure to check out our list to know what's safe to pick up now and what's not. iPad ...
General iOS 16 Feature Yellow

10 New iOS 16 Features Coming Later This Year

Monday October 3, 2022 2:41 pm PDT by
iOS 16 was released to the public three weeks ago with a customizable Lock Screen, the ability to edit iMessages, improvements to Focus modes, and much more. And in the coming months, iPhone and iPad users have even more new features to look forward to. We've rounded up 10 new features coming to the iPhone and iPad later this year, according to Apple. Many of the features are part of iOS...
magsafe charger orange

Apple Releases New MagSafe Charger Firmware

Tuesday October 4, 2022 12:09 pm PDT by
Apple today released updated firmware for the MagSafe Charger that is designed to work with the iPhone 12 and later and the AirPods Pro 2. The new firmware is version 10M1821, up from the prior 10M229 firmware. Note that in the Settings app, you'll see a different version number than the firmware number, with the update displayed as version 255.0.0.0 (the prior firmware was 247.0.0.0). The...
maxresdefault

Video: AirPods Pro 2 vs. Bose QuietComfort II

Monday October 3, 2022 12:50 pm PDT by
Apple on September 23 officially launched the second-generation version of the AirPods Pro, introducing updated Active Noise Cancellation, Adaptive Transparency, improved sound, and more. Right around the same time, Bose introduced new QuietComfort II earbuds with many similar features, so we thought we'd compare the two to see which has the edge. Subscribe to the MacRumors YouTube channel for ...
General iOS 16 Feature Yellow

One of iOS 16's Best Features Drains Battery When Enabled

Thursday October 6, 2022 2:15 am PDT by
One of iOS 16's most praised features comes at the cost of draining battery life, according to recently published Apple support documents. The feature, known as "keyboard haptics," is optional in iOS 16 and allows users to get physical feedback via slight vibrations upon the touch of each key, confirming that it was pressed much like keyboard sounds. The feature is a useful addition to the...
aapl logo banner

No October Apple Event Expected Despite Upcoming Wave of New Devices

Wednesday October 5, 2022 2:33 am PDT by
Apple is no longer expected to host an event this month, despite plans to unveil a host of new devices including new iPad and Mac models, according to recent reports. In recent months, Apple has been expected to hold an event in October to announce a range of products that did not receive any stage time during the company's iPhone 14 unveiling event last month. In a recent newsletter, Bloombe...
iOS 16

Apple Preparing iOS 16.0.3 With More Bug Fixes Following iPhone 14 Launch

Monday October 3, 2022 7:53 am PDT by
iOS 16.0.2 was released last month with several bug fixes for iPhone 14 issues, excessive copy and paste permission prompts, and more. Now, evidence suggests that Apple is planning to release iOS 16.0.3 with additional bug fixes. Evidence of an upcoming iOS 16.0.3 software update has shown up in MacRumors analytics logs, which have been a reliable indicator in the past. There are several...
iOS 16

Apple Seeds New Betas of iOS 16.1 and iPadOS 16.1 to Developers [Update: Public Beta Available]

Tuesday October 4, 2022 10:06 am PDT by
Apple today seeded the fourth beta of iOS 16.1 to developers for testing purposes, with the beta coming one week after the release of the third iOS 16.1 beta. The iOS 16.1 beta is also joined by the fifth beta of iPadOS 16.1, which is on a slightly different schedule as Apple started testing it prior to the launch of iOS 16. Registered developers can download the iOS 16‌ and iPadOS 16...
dynamic island outline 1

iOS 16.1 Beta Adds More Pronounced Gray Border Around Dynamic Island When Using Black Wallpapers or in Dark Mode

Tuesday October 4, 2022 11:58 am PDT by
With the latest iOS 16.1 beta, Apple has tweaked the design of the Dynamic Island on the iPhone 14 Pro and Pro Max to make it more visible on a dark background. When using a darker wallpaper or with the darker interface of Dark Mode activated, there is a light gray border around the outside of the Dynamic Island when the screen is dimmed or when the Dynamic Island is in active use. The...