Apple's Shellshock patch covers Lion, Mountain Lion, and Mavericks On Monday, Apple released three patches to address vulnerabilities in GNU Bash, commonly known as Shellshock, that if exploited could allow an attacker to execute commands on the targeted host.When Shellshock was disclosed, the primary concern was the large number of switches, routers, and web servers that use GNU Bash as part of their Linux or UNIX environment. However, OS X is UNIX-based, so researchers were quick to point out that Shellshock impacted far more than essential corporate assets.Apple, in statements to the media, initially reported that a majority of OS X users were immune from the risks associated with Shellshock, because of the default configurations the OS uses.However, users that enabled advanced UNIX services were exposed. The company promised a patch, which was delivered a few days later. Monday’s releases cover OS X Lion, Mountain Lion, and Mavericks. At just over 3MB in size, they’re easily applied, and Apple encourages anyone that has enabled advanced UNIX functions to install the proper patch.OS X users are at risk if they’ve enabled remote login for all users, including guests. However, security conscious users have likely avoided that option, because it comes with an increased risk. Users on older versions of OS X, Lion or earlier, that have enabled Apache, PHP, or other scripting environment are also at risk.“The attacker can then insert the variables into the script or extension that gets run under the Bash shell, then the injection gets into the Shellshock vulnerability, and voila—machine compromised. This one, however, requires exploiting two holes. First, in the script running on Apache, and then in turn using that compromised script to send something to the Bash shell,” explained Derek Erwin of Intego.Outside of issues related to Shellshock and Apple, the problem remains a complex one that has captured most of the security industry. More importantly, it has become the focal point of discussions for those that work in the trenches given the buzz the flaw has generated.With that said, experts from the SANS Institute, interviewed by CSO, have offered some essential advice for addressing Shellshock within your organization. The full details are available here. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe