• United States



Senior Staff Writer

Apple publishes patch for Shellshock vulnerability

Sep 29, 20142 mins
AppleNetwork SecurityOperating Systems

Apple's Shellshock patch covers Lion, Mountain Lion, and Mavericks

On Monday, Apple released three patches to address vulnerabilities in GNU Bash, commonly known as Shellshock, that if exploited could allow an attacker to execute commands on the targeted host.

When Shellshock was disclosed, the primary concern was the large number of switches, routers, and web servers that use GNU Bash as part of their Linux or UNIX environment. However, OS X is UNIX-based, so researchers were quick to point out that Shellshock impacted far more than essential corporate assets.

Apple, in statements to the media, initially reported that a majority of OS X users were immune from the risks associated with Shellshock, because of the default configurations the OS uses.

However, users that enabled advanced UNIX services were exposed. The company promised a patch, which was delivered a few days later.

Monday’s releases cover OS X Lion, Mountain Lion, and Mavericks. At just over 3MB in size, they’re easily applied, and Apple encourages anyone that has enabled advanced UNIX functions to install the proper patch.

OS X users are at risk if they’ve enabled remote login for all users, including guests. However, security conscious users have likely avoided that option, because it comes with an increased risk.

Users on older versions of OS X, Lion or earlier, that have enabled Apache, PHP, or other scripting environment are also at risk.

“The attacker can then insert the variables into the script or extension that gets run under the Bash shell, then the injection gets into the Shellshock vulnerability, and voila—machine compromised. This one, however, requires exploiting two holes. First, in the script running on Apache, and then in turn using that compromised script to send something to the Bash shell,” explained Derek Erwin of Intego.

Outside of issues related to Shellshock and Apple, the problem remains a complex one that has captured most of the security industry. More importantly, it has become the focal point of discussions for those that work in the trenches given the buzz the flaw has generated.

With that said, experts from the SANS Institute, interviewed by CSO, have offered some essential advice for addressing Shellshock within your organization. The full details are available here.