The 'Shellshock' Bash vulnerability and what it means for OS X

Word is spreading on info security websites that there's a vulnerability in a Unix program called Bash. Bash, or Bourne-Again Shell, is standard issue on the Mac, and at this writing, the latest version of OS X — 10.9.5 — has a version that's vulnerable to this new exploit. Should Mac users be concerned about this new security issue? Sure. Should we panic? No, and here's why...

What is Bash?

Bash is a shell — a processor that lets you type commands which then result in actions. It's been around for 25 years, and is the core shell tool used in most Linux and Unix operating systems (including OS X) found in millions of computers all over the world. It can also be used to parse scripts for other programs, like Web servers.

The exploit that's been recently discovered affects all Bash releases through 4.3 — about 25 years worth of Bash versions. So there are a lot of systems potentially affected by this flaw.

What is Shellshock?

The new bug has been nicknamed "Shellshock." The vulnerability lets an outside attacker insert extra code into a Bash command. Researchers are still trying to understand the extent of the exploit, but one of the most prevalent vulnerabilities involves web servers running Common Gateway Interface (CGI) scripts, a standard method for creating dynamic content on the web. An attacker uses "environment variables" containing Bash functions in them. You can read more about it here. Warning: It's pretty dense technical language.

Arbitrary code execution is a very serious problem. The worst case scenario is that an outside attacker can take over the targeted computer, access files and get it to run software it wouldn't otherwise.

Shellshock is being compared to Heartbleed, a bug involving a popular security library called OpenSSL. There's no direct correlation here, but like OpenSSL, Bash is broadly used by computers all over the Internet, so there's concern that many will go unpatched and hackers will use the exploit towards their own ends.

Back to the Mac

OS X Mavericks 10.9.5 includes Bash 3.2, a version of Bash that is vulnerable to the exploit. As this was posted, Apple had not yet released a security patch to update the version of Bash included with Mavericks.

You can test your Mac yourself using a simple command in the Terminal application.

Testing for the Bash vulnerability

  1. Double-click on the Utilities folder.
  2. Double-click on Terminal.
  3. Type (or copy and paste) the following command: env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"

If your Mac says "vulnerable," then the version of Bash installed on it is indeed vulnerable to the problem.

But that doesn't mean that your Mac can be exploited by hackers. You'd have to be running software that is accessible to the outside world and invokes Bash when it is run. So far I haven't seen any exploits that the average Mac user would need to worry about.

What now?

System administrators and IT personnel responsible for managing Internet-facing servers need to be on high alert at this hour, patching vulnerable systems with an updated release of Bash or even using a shell program besides Bash until a better solution is available.

StackExchange has an explanation on how to patch the Macintosh version of Bash, but this isn't something I'd recommend for the lay user. For one thing, it depends on having Apple's Xcode programming environment installed on your Mac. For another, it depends on being comfortable using the Mac's command line interface via the Terminal program.

For those reasons, I'd recommend holding off until an officially-brewed fix is ready from Apple. Given the high public profile of this particular problem, I hope that won't be too long.

Are you concerned about the Bash vulnerability? Are you waiting for Apple to update security on Mavericks and other operating systems? Let me know in the comments.

Peter Cohen
  • My memory is a little fuzzy, but I think I remember John F. Braun mention recently on the Mac Geek Gab podcast that there is another shell that can be set as default instead of bash. The conversation wasn't about security, just his preference. I subscribe to several podcasts that are geeky enough to discuss an issue like this so it could be Adam Christensen or someone else. I have no idea whether choosing to use another shell would be a defense or whether just the presence of bash itself is the problem. I suspect a surgery to remove bash would be far beyond the capability of the typical user.
  • Using another shell won't solve the problem. Lot's of scripts explicitly state the use of bash (first line is #!/bin/bash), so bash will be called no matter what.
  • Peter: More precisely, the version of bash in Mavericks is 3.2.51(1). As the final patch isn't ready yet, it's unclear what the patched version number will be, but it could well be some flavor of 3.2 as well — perhaps 3.2.51(2) or 3.2.52.
  • The vulnerability seems present on the latest dev version of Yosemite as well. Sent from the iMore App
  • So many Shellshock headlines include Apple but almost none mention Android which, besides handsets, is running connected appliances everywhere which may never get firmware updates. Routers come to mind first but the entire IoT is vulnerable. Bigger than Heartbleed, indeed.
  • By default, Android doesn't use BASH...neither does iOS for that matter...only Mac...Windows doesn't use it either. Google won't even distribute BASH due to licensing restrictions. This is an Apple issue for Mac's. On a sidenote, since Apple loves to talk about being virus free, let them be the big dog in the PC wars, and you'll finally see a deluge of hackers exploiting Unix coding... Posted via the Android iMore App!
  • Macs aren't shipped with it either. It's included with Apple Developers tools, like Xcode, Command Line Tools package or if you installed a dist. as an alternative or replacement. All of those scenarios can be easily fixed. My comment wasn't focused on Android handsets, but why wouldn't they be cause for equal concern? Could not a rogue app or custom ROM feature facilitate the vulnerability on a rooted handset? Of course they could. I'm more concerned about what may not, or cannot, be fixed in the Internet of Things (IoT). TVs, home automation appliances and so on. The Shellshock vulnerability potentially affects an enormous range of products with connectivity going back many years, not just Macs with users who've installed BASH.
  • Apologies. Caught my mistake late. Macs are shipped with BASH, just not Shellshock vulnerable with default settings.
  • If you are going to raise an alarm about rooted Android handsets that have installed vulnerable services, you might also raise that same alarm about jail broken ios devices that have done the same, as the same services are available on Cydia Sent from the iMore App
  • While I haven't yet run the command, I did notice Kaspersky said in their article to type in "…echo this is a test" while iMore staff suggests typing in "…echo stuff"
    Does it really matter which is used?
    I'd be curious as to how many tests are coming up with a "vulnerable" and which OSX is coming up positive the most. Sent from the iMore App
  • It absolutely doesn't matter :) It could be echo banana, echo hello, or whatever. The command outputs "vulnerable" just before the other word(s), if your system is vulnerable.
    In fact this bug allows someone to *add* some code to other commands. By issuing the described commands, you exploit the security hole by yourself by adding a command that adds the word "vulnerable" to the output, before the other part of the script. For instance if you choose the word "banana", if your system is vulnerable it will output: vulnerable
    banana whereas it would only output banana if not vulnerable. Hope this helps.
  • Also, pretty sure that 100% of tested systems are vulnerable, no matter what their version of OS X is — unless they have been fixed by very experienced tech-savvy people using unofficial patches.
    Even the latest OS X Yosemite dev build includes a vulnerable version of bash.
  • Peter, what about the Back to my Mac/Remote Desktop/Share Screen feature? Should we be worried? Thanks.
  • Nope.
  • Thank you, sir.
  • We have a machine running Mac OS X 10.5.8 Server at work (running file sharing, ichat, mail, web and VPN services, with ports open for VPN services). Should I worry about this? Is Xcode 3.2.6 on 10.5.8 recent enough to carry out the Bash update process described on StackExchange? What's the latest version of Bash you can run on powerpc-apple-darwin9.0 and is it vulnerable or not?
  • I tried to update Bash on a PowerPC running Mac OS X 10.5.8 Server but when I double-checked everything I got this: $ echo $SHELL
    $ echo $BASH_VERSION
    3.2.17(1)-release and was expecting something like this: $ echo $SHELL
    $ echo $BASH_VERSION
    4.3.25(1)-release What I did:
    Downloaded and installed Xcode 3.1.4 from here: Installed Tigerbrew with this command:
    $ ruby -e "$(curl -fsSkL" Then git
    $ brew install git Then updated Tigerbrew's formulæ
    $ brew update Installed latest Bash:
    $ brew install bash Added this install of bash to the allowed shells list:
    $ sudo bash -c "echo /usr/local/bin/bash >> /private/etc/shells" Then changed shell to use this new one:
    $ chsh -s /usr/local/bin/bash This last step didn't seem to work.