Apple’s Shellshock patch is incomplete experts say

On Monday, Apple released three patches to address two vulnerabilities in GNU Bash, commonly referred to as Shellshock. Experts who have tested the various known attack surfaces say that Apple’s patch doesn’t fix everything.

Shellshock impacts OS X if users have enabled advanced UNIX services. For the most part, this means a majority of OS X users are not impacted by GNU Bash’s problems.

Those that have enabled advanced UNIX settings, such as users in the technology sector, or users with a certain degree of technical confidence, were exposed. For this reason alone, Apple made the decision to publish updates.

However, after additional testing, researchers at Rapid7 have reported that Apple’s patches aren’t complete. According to Greg Wiseman, who posted a brief note on the topic on Rapid7’s community portal, while Apple patched the two widely known Shellshock vulnerabilities, the patch didn’t catch everything.

Presently, OS X users are still vulnerable to CVE-2014-7186, which enables remote attackers to cause Denial of Service conditions or execute commands within the context of an affected application. In an interview with Salted Hash, Wiseman confirmed that all three of the newly released patches from Apple were vulnerable to CVE-2014-7186.

At the same time, he added, “It’s not clear that there’s any exploit out there now, beyond a Denial of Service, or that there will be.”

Still, caution is encouraged, and OS X users who have implemented advanced UNIX settings are being advised to update regardless, because the two flaws that were patched are still critical and not something that should be placed on a back burner.

In addition to CVE-2014-7186, there is also talk that patched OS X systems are vulnerable to the overwrite-bash-functions flaw. Additional details on that issue are available here.

@alblue Thanks for updating your bash bug blog post about Apple’s fix. But I think ‘game over’ problem still exists. pic.twitter.com/ktNdJnzkYb

— ake (@ake_____) September 29, 2014

For those looking for additional technical details, a thread on Stack Exchange has plenty of good advice.

It’s important to note that Apple isn’t the first vendor to release updates for Shellshock, only to discover that they’re incomplete. Since the problem was disclosed on September 24, vendors and developers have struggled to stay on top of this issue.

It’s a giant game of whack-a-mole, because as soon as one attack path is fixed, another pops up. It’s going to be some time before this vulnerability is well and truly closed.

Update:

There has been additional research conducted on the Apple patches. In an email, Greg Wiseman said that after additional testing, it would seem that while Apple’s patches do include the two bugs, they are not  exploitable. Wiseman will update his blog post with additional details. The post is linked in the story above.