'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

terminalicon2 Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

Security researcher Robert Graham noted on his blog that the Bash exploit is "as big as Heartbleed," referring to the flaw discovered earlier this year in the popular OpenSSL software which secures connections between clients and servers:

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.

Heartbleed was said to have affected 66% of the Internet, although Apple announced in April that the exploit did not affect its software or "key services." Apple also released updates for the AirPort Extreme and Time Capsule to better secure both web devices against Heartbleed.

A topic discussing the Bash exploit on StackExchange also notes that Apple did not include a fix for the bug in its latest round of security updates that came alongside the release of OS X Mavericks 10.9.5 last week. It is possible however that Apple will release a fix for OS X in the near future to address the exploit, similar to what it has done for other security issues in the past.

Popular Stories

iphone se 4 modified flag edges

iPhone SE 4 With Face ID Said to Be Priced Below $500

Monday May 20, 2024 3:43 am PDT by
Apple is targeting a sub-$500 starting price for its upcoming fourth-generation iPhone SE model despite a raft of rumored upgrades coming to the more affordable device. According to leaker Revegnus on X, the U.S. launch price of the fourth-generation iPhone SE will either remain at the same $429 starting price as the current model, or will see an increase of around 10%. Either way, Apple's...
iOS 17

Apple Releases iOS 17.5.1 With Fix for Reappearing Photos Bug

Monday May 20, 2024 10:11 am PDT by
Apple today released iOS 17.5.1 and iPadOS 17.5.1, minor updates to the iOS 17 and iPadOS 17 operating system updates that came out last September. The 17.5.1 updates come a week after the launch of iOS 17.5 and iPadOS 17.5. iOS 17.5.1 and iPadOS 17.5.1 can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. According to Apple's...
iPhone 16 Camera Lozenge 2 Perspective

iPhone 16 Lineup Rumored to Come in These Two New Colors

Sunday May 19, 2024 11:08 am PDT by
Apple analyst Ming-Chi Kuo today outlined his expectations for the iPhone 16 lineup's color options, revealing that two new colors should replace two of the existing shades. Kuo outlined his expectations in a post on X (formerly Twitter) earlier today. He believes that the iPhone 16 Pro and iPhone 16 Pro Max will be available in black, white or silver, gray or "Natural Titanium," and rose....
microsoft surface pro qualcomm

Microsoft Says New Surface Pro is Faster Than 15" M3 MacBook Air

Monday May 20, 2024 3:19 pm PDT by
Microsoft is going all in on AI, today introducing a series of Copilot+ PCs that have AI-focused hardware. The new Surface Pro is one of the first Copilot+ PCs, equipped with Qualcomm's Arm-based Snapdragon X Elite processor. Microsoft is already pitting the Surface Pro against Apple's M3 MacBook Air, and in marketing materials, claims that the Surface Pro has superior processing power and...
iOS 17

iOS 17.5 Bug May Also Resurface Deleted Photos on Wiped, Sold Devices [Updated]

Friday May 17, 2024 12:24 pm PDT by
A bug in iOS 17.5 is apparently causing photos that have been deleted to reappear, and the issue seems to impact even iPhones and iPads that have been erased and sold off to other people. A Reddit user wiped an iPad following Apple's guidelines in September of 2023 before selling it off to a friend. That friend updated the iPad to iPadOS 17.5 this week, and began seeing the Reddit user's old ...
iphone se 4 modified flag edges

When to Expect the Next iPhone SE to Launch

Friday May 17, 2024 2:03 pm PDT by
It has been over two years since Apple released the third-generation iPhone SE, and rumors continue to surface about a new model. The latest word comes from The Information, which today reported that Apple plans to release a new iPhone SE with a design similar to the standard iPhone 14 in the spring of 2025. If this rumor is accurate, the iPhone SE would finally gain Face ID and a notch...

Top Rated Comments

Eweie Avatar
126 months ago
strike three. you're out...
now what?
*still waiting for iPhone + Apple Watch*
*facepalm* you people don't know what bash is do you. this has nothing to do with apple.
Score: 33 Votes (Like | Disagree)
fluchtpunkt Avatar
126 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.

If only Bash would have been open source so people could search bugs in the source code


/s
Score: 31 Votes (Like | Disagree)
fluchtpunkt Avatar
126 months ago
No, as far as I have seen so far the first initial patch didn't actually fix the problem. The fact is that the bug was publicly disclosed yesterday, and you are ranting because there is no patch today, as of yet.
The bug is fixed. The patch is available. Apple could have rolled it out by now.

The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.

http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052

Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.

Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.
Score: 8 Votes (Like | Disagree)
Slix Avatar
126 months ago
Always interesting to find out that a security bug like this has been around for years and no one knew about it until just now.
Score: 8 Votes (Like | Disagree)
CyBeRino Avatar
126 months ago
- iCloud hacks
Last month.


- iOS 8 issues
- iOS 8.0.1 issues
Ok.


- Bentgate
Physics.


- HealthKit issues
Part of 'iOS 8 issues'.


- iPhone 6 RAM issues
Not an issue at all, just some idiots who think RAM is free.


- Free U2 Album issues
Weeks ago.


- Restricted NFC chip
Not an issue, just a business decision that not everyone agrees with.


- Keynote streaming issues
Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.
Score: 7 Votes (Like | Disagree)
foobarbaz Avatar
126 months ago
Relax, people, the sky is not falling.

This problem primarily affects things running a (web) server.

Your home Mac might technically be affected, but you're likely not running anything that exposes the bug to an attacker.
Score: 7 Votes (Like | Disagree)