Apple is aware of the recently discovered bash exploit nicknamed Shellshock, and is working quickly to provide a software update for OS X, the operating system that runs on the Mac.
The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson told iMore. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.
The exploit reportedly affects most Linux- and Unix-based operating systems around the world, including OS X. That's millions and millions of computers and embedded devices, all of which will need to be updated as soon as possible.
If you're an advanced enough user to have enabled the types of services that can be exploited by Shellshock, you're also likely advanced enough to turn those services off for now, or to patch bash yourself using Xcode.
For everyone else, be informed but don't panic. Most people aren't aren't at high levels of risk. Stay informed, stay updated, but also understand that there's no real reason for significant concern at this point.
Reader comments
Apple: Most OS X users safe from 'Shellshock' exploit, patch coming quickly for advanced Unix users
Good to know, thanks!
Nice of Apple not to document what "advanced Unix services" are.
Such users would've started out by installing Xcode or the stand alone Command Line Tools. From there such users may install alternative tools like Homebrew or MacPorts used to manage packages which can run servers that can face the internet. Other users of advanced Unix services include they who run OS X Server.app or MAMP, are familiar with PHP and CGI, and system admin jobs.
It means if you have no idea what any of this means, your system is not affected.
I read up a bit on this exploit and it depends on somebody getting to your Bash shell. In normal systems, that's not exposed to the internet. I have read that Apache might rout some things through the Bash shell - if true I would consider this a bug in Apache. But to be on the safe side, turn all the boxes in your "sharing" system preferences off.
The typical avenue of attack is via a web server. If you don't have a web server running you're probably alright. If you are running an SSH server (allow remote login) you are also possibly vulnerable. the DHCP attack vector doesn't *seem* to be an issue with OS X but I haven't seen that independently verified. In any case, Apple needs to get a fix out the door yesterday if not sooner.
My thoughts exactly. They make it sound like were talking about a specific option you could enable. To realize they basically mean "if you never use the command line or log in to your system(s) remotely, you're not at risk," is a bit unsettling. I spend all day in terminal, doing enterprise IT work for a huge organization that leverages things like ssh via group policy and 99% of our users have bash set as their default shell. How is this not a "real reason for significant concern at this point?" I either let thousands of our users stay vulnerable or compile bash for all of them in Xcode and undo it later? Just admit it's a huge problem and you're in the same ugly situation as Solaris and RHEL, Apple! Why are you so bent on pretending OS X isn't Unix? Do you really expect people to believe Macs aren't computers, but magical boxes that don't need patches for OrenSSL, Apache, and now Bash? Nonsense!
I am still on 10.9.4!...Does it effect me?
It impacts ALL versions of Bash, which is all current and previous version of OS X, Linux, and Unix based systems.
So yes.. and NO.. because if you're having to ask, then it's not likely you've enabled any advanced sharing features (SSH or Apache) to your system which is what makes you a target.
So it looks like normal users shouldn't be too worried. We should be more worried about companies such as on-line retailers who might have large servers that have this vulnerability. I certainly hope those companies have taken steps to safeguard customer info.
Come on, ssh and bash are not really what I'd call "advanced." They're both used daily in enterprise. I write bash scripts that are pushed to my users" Macs via group policy, and leverage ssh to join systems to or domain and allow our enterprise vulnerability scanners to run. That stuff may be advanced, but most out users aren't, and Apple essentially just told them not to panic while telling me I can't protect them. Outstanding PR!
I'm not technically advanced Corey, but I've used the terminal. I've seen other sites offering a means to update bash's version to something safer. I considered doing so myself, but my understanding curve didn't give me the confidence.
Admittedly it isn't an Apple certified solution, which is perhaps the problem for folks who work in enterprise e.g., not wanting to take unnecessary risk. I'm sure those who don't need Apple's blessing have taken care of this issue already.
Seriously? You don't insider that Advanced? Yes, it's used daily in Enterprise - at an Advanced level! Writing Bash scripts is "Advanced". I'm fairly technically adept, I'm the go-to person for technical support in the family, but writing a Bash script is way too Advanced for me, quite frankly. I can use SSH if I have to, but have no need for it, and nothing I can't simply walk over to and do it more easily there. And yes, using SSH on a Bash shell is Advanced. This is a statement to iMore, not an official Knowledge Base article. I would expect such an article to have details, not necessarily a statement from a PR person.
I said the scripts are advanced. My users are not. Apple is convincing them that since THEY do not open Terminal, their work machines are not vulnerable, which is false.
I was reading the exchanges between the contributors to the blog where the issue was being discussed in detail.
There is a one-line command that you can run in Terminal which will tell you if your system is susceptible to the bug by displaying the word "vulnerable" to gether with the currrent date and time; if not vulnerable, it will throw up a message indicating that there was an error trying to parse the command, and in this case it would NOT display the word "Vulnerable".
So yes, the very latest version of the Bourne Again Sell (BASH) patches the bug.