Apple Fixes Shellshock In OS X

← Back to Stories (view on slashdot.org)

Apple Fixes Shellshock In OS X

Posted by timothy on Tuesday September 30, 2014 @12:42AM from the that's-mac-os-x-to-you-buddy dept.

jones_supa (887896) writes Apple has released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the "Shellshock" bug in the Bash shell. Bash, which is the default shell for many Linux-based operating systems, has been updated two times to fix the bug, and many Linux distributions have already issued updates to their users. When installed on an OS X Mavericks system, the patch upgrades the Bash shell from version 3.2.51 to version 3.2.53. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on the system first. An Apple representative told Ars Technica that OS X Yosemite, the upcoming version of OS X, will receive the patch later.

174 comments

Min score:

Reason:

Sort:

Why isn't this auto-update? by Anonymous Coward · 2014-09-30 00:47 · Score: 5, Informative

I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?
1. Re:Why isn't this auto-update? by kybred · 2014-09-30 00:54 · Score: 4, Informative
  
  I downloaded and installed this update. It updates bash to version 3.2.53(1), but a patch to version 3.2.54(1) is available on gnu.org. I'm guessing that there will be more updates since additional issues with the parsing in bash have been (are being) found.
2. Re:Why isn't this auto-update? by Tarlus · 2014-09-30 01:37 · Score: 1
  
  I think Apple is a little leery about being too quick to release patches these days...
  
  --
  /* No Comment */
3. Re:Why isn't this auto-update? by Noah+Haders · 2014-09-30 01:51 · Score: 1
  
  often the patches are rolled out over the course of a day to prevent overwhelming the servers. no bigs.
4. Re:Why isn't this auto-update? by Barsteward · 2014-09-30 02:04 · Score: 1
  
  probably waiting for everyone else to fix it first so its an easy job
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
5. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 02:23 · Score: 0
  
  I think Apple is a little leery about being too quick to release patches these days...
  That's a hell of a gamble considering the vuln here...what's worse, rolling back a patch or a few million compromised systems?
6. Re:Why isn't this auto-update? by jythie · 2014-09-30 02:47 · Score: 2
  
  It depends on what the malfunctioning patch does to the systems.
  
  Since macs are rarely used as servers the number out there is probably going to be pretty small, so that has to be factored in as well.
7. Re:Why isn't this auto-update? by amorsen · 2014-09-30 02:48 · Score: 1, Funny
  
  Yes, the typical use case for a MacBook is serving bash scripts over HTTP. Patch quickly!
  
  --
  Finally! A year of moderation! Ready for 2019?
8. Re:Why isn't this auto-update? by Cro+Magnon · 2014-09-30 02:53 · Score: 1
  
  Yeah, I guess they're worried it will mess up their cloud or phone calls or something. :-P
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
9. Re: Why isn't this auto-update? by Anonymous Coward · 2014-09-30 03:02 · Score: 0
  
  That's not the only way these flaws can be exploited, you know. These are very general vulnerabilities that can be triggered in many different ways.
10. Re:Why isn't this auto-update? by tlhIngan · 2014-09-30 03:29 · Score: 5, Insightful
  
  I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?
  Because of many reasons.
  First off, the patch isn't complete. Sure there was a patch last week, but did you know it didn't fix the problem? Yes, it fixed the obvious error, but there were still more (and new CVE was opened for Shellshock). Bash devs are still finding more holes related to this issue, and it goes down a deep rabbit hole. This hole may never be full patched for a long time.
  Second, there aren't many OS X systems that are exploitable. Remote exploits require a server to take parameters, format them as environment variables and then call the shell (usually through system()). HTTP and CGI scripts are a common vector because that's exactly how they work. Most webservers out there run Linux and there really isn't a special reason to run OS X + httpd + CGI over running it on Linux especially on a public server. So for the scant few servers, those admins can update the shell.
  And on OS X, the webserver is disabled by default and most users won't know how to turn it on. I don't think even OS X server has it on by default - given the server is really just a bunch of admin tools nowadays.
  Third, well, I don't think many OS X apps actually bother using a call like system() to perform a task - there's probably a native Cocoa API that is supposed to be used instead.
  So it's more of a hotpatch for those few machines that are potentially vulnerable. In fact, the patch that was provided last week wasn't fixing the issue, more working around the issue so it's harder to exploit (i.e., instead of an arbitrary variable containing a function, it has to be prefixed with _BASH_FUNC_ in order to be allowed as a definition).
  There is currently no root-cause fix for the issue - it's actively being worked on by Bash developers and others. This isn't like heartbleed where the mistake was a little programming oversight - it's a full on design issue that dates back 20+ years. There are probably going to be dozens of patches to fix the issue in the end.
11. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 03:35 · Score: 0
  
  Looks like Apple did fix the vulnerability patched in 54, only they did it with their own patch instead of waiting for GNU's patch.
12. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 04:06 · Score: 0
  
  If the lock breaks on your front door, you fix it right away. You don't wait to see if there might be other problems with the door or the jamb, and leave the front door swinging while you go for a coffee.
  This is a major security hole and even the current level of patching in bash significantly narrows the exposure. This hole is actively being exploited in the wild. It is incredibly irresponsible of Apple to not roll out this patch automatically for everyone. If they patch it again tomorrow and the day after and again next Friday, then so be it.
13. Re:Why isn't this auto-update? by smash · 2014-09-30 04:10 · Score: 1
  
  ON the contrary.... insufficient QA = potentially a hundred million functionally broken machines, vs. perhaps 5 nerds with compromised mac web servers exposed to the internet from not pushing it out.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
14. Re: Why isn't this auto-update? by smash · 2014-09-30 04:12 · Score: 2
  
  The majority of which do not apply to OS X and only linux, because OS X isn't held together with shell scripts and duct tape.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
15. Re:Why isn't this auto-update? by smash · 2014-09-30 04:14 · Score: 1
  
  I will be amazed if you can find a single compromised OS X box.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
16. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 04:43 · Score: 0
  
  Those that the gods smite first make proud.
17. Re:Why isn't this auto-update? by wwphx · 2014-09-30 05:02 · Score: 1
  
  The suspicion is that this will be a silent slipstream patch and you won't notice it. And that's probably fine for most Mac users. Myself, I manually applied it.
  
  My question is whether this is a full patch, or just the partial one that they've been talking about for most *nix distros.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
18. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 05:16 · Score: 0
  
  Well, considering that there were a couple more problems discovered since the original one, it probably wasn't such a bad idea to wait a few days.
  That being said, I do run some old PPC machines, and my main laptop is still on 10.6.8 (because I still use a couple of PPC things and need Rosetta). I've already disabled mod-cgi everywhere just in case, and when the dust settles a bit, I'm going to compile a fresh bash from source.
19. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 05:23 · Score: 1
  
  So what that means is, Apple wrote GPL code?
20. Re: Why isn't this auto-update? by Anonymous Coward · 2014-09-30 05:26 · Score: 0
  
  Well, lets's see, there's... dhclient? Nope, Linux-only!
  Aside from badly implemented CGI and dhclient, there haven't really been any other widely-exploitable problems caused by this. Yet, anyhow.
21. Re: Why isn't this auto-update? by Anonymous Coward · 2014-09-30 06:07 · Score: 2, Informative
  
  Why not?
  http://opensource.apple.com
22. Re: Why isn't this auto-update? by brantondaveperson · 2014-09-30 07:15 · Score: 1
  
  There will be. Unfortunately, those who would take over our computers do not share our lack of imagination.
23. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 07:17 · Score: 0
  
  A door analogy. Helpful.
24. Re:Why isn't this auto-update? by TechyImmigrant · 2014-09-30 07:30 · Score: 1
  
  > it has to be prefixed with _BASH_FUNC_ in order to be allowed as a definition)
  What's stopping me passing _BASH_FUNC_ in a HTTP request to a BASH CGI script?
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
25. Re:Why isn't this auto-update? by Aaden42 · 2014-09-30 07:54 · Score: 1
  
  It’s really not a gamble for the majority of their customers. Default install ships with neither SSH, nor Apache, nor anything else that could possibly route network input to a copy of Bash enabled by default (both OpenSSH & Apache are included, just turned off). To be expoitable would require manually enabling Apache, then manually editing httpd.conf to enable some kind of CGI binding (none enabled in default shipped config file).
  The number of their customers who were actually vulnerable to this is probably single digit percentages. I’m glad to have the patch available, but none of the dozen or so Apple machines I’m responsible for at home or work were actually configured such that they were vulnerable to this.
26. Re: Why isn't this auto-update? by Aaden42 · 2014-09-30 07:56 · Score: 1
  
  Dirty little secret: OS X is held together with something that smells disturbingly like systemd...
27. Re: Why isn't this auto-update? by BasilBrush · 2014-09-30 09:07 · Score: 2
  
  That's not a "dirty secret". Having a single component that launches all daemons is a laudable improvement over the adhoc, multiple methods that had grown up in Unix like OSs.
  Linux has political problems between Linus and the systemd team, and systemd may be overreaching. None of which is relevant to OSXs entirely different component launchd.
  And if anyone thinks there's any copying going on here, take note of the direction - OSX launchd dates back to 2005. Linux systemd to 2010.
28. Re:Why isn't this auto-update? by macs4all · 2014-09-30 09:25 · Score: 0
  
  ON the contrary.... insufficient QA = potentially a hundred million functionally broken machines, vs. perhaps 5 nerds with compromised mac web servers exposed to the internet from not pushing it out.
  And 15 million more with CUPS Servers running, and possibly exposed to the internet.
29. Re:Why isn't this auto-update? by angel'o'sphere · 2014-09-30 09:42 · Score: 1
  
  Erm, you talk about Macs? No?
  Yes, they are distributed with an Apache web server and SSH.
  If you consider "manually enabling" similar to clicking the check box in the "sharing" section of "system preferences" then it is indeed a hard job for the typical Mac user! (* facepalm *)
  And you are an admin for macs and don't know they come with Apache httpd and SSH preinstalled?
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
30. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 10:03 · Score: 0
  
  If you can set an arbitrary environment variable within a process, prior to that process calling system() (or popen(), for that matter), you have already won. Most web browser/CGI scripting environments are scrupulously careful about not allowing arbitrary environment variables, and that means (amongst other things) that setting a variable whose name starts with _BASH_FUNC_ is going to be nigh impossible through a standard HTTP interface.
  Think about setting PATH, LD_PRELOAD, IFS, and HOME, for example. There may be others.
31. Re:Why isn't this auto-update? by Anonymous Coward · 2014-09-30 10:28 · Score: 0
  
  The original problem was the definition of an anonymous function which would be called automatically because it didn't have a name.
32. Re:Why isn't this auto-update? by TechyImmigrant · 2014-09-30 11:01 · Score: 1
  
  >that setting a variable whose name starts with _BASH_FUNC_ is going to be nigh impossible through a standard HTTP interface.
  But that's exactly what I did by appending ?_BASH_FUNC_thingy=myattack to a url to a CGI script.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
33. Re:Why isn't this auto-update? by TechyImmigrant · 2014-09-30 11:04 · Score: 1
  
  Fortunately for the evil doers, they don't have to be bound by past vulnerabilities.
  Just give it a name that the script already uses.
  If the script uses functions passed through the environment variables, it is now going to be written such that those variable names are prefixed with _BASH_FUNC_ because the new changes require it. So the attacker follows suit. The point being that the attacker can indeed modify the name and he or she or it can modify it to suit the script being attacked.
  The underlying problem is using environment variables (I.E. data) that get executed by the interpreter. Don't do that. You can write CGI programs that are invulnerable, but you can't be sure every CGI program in every bit is system and web bloatware is invulnerable.
  Better to fix CGI. Give it a new interface. E.G. It calls the program and hands it a pointer to a file that contains the variables. Or uses any other form of IPC. Just make sure it can't get executed unless intentionally by the idiot writing the receiving end.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
34. Re:Why isn't this auto-update? by marka63 · 2014-09-30 11:18 · Score: 1
  
  And at 3.3M they may as well just push it out rather than delaying it. A couple of checks will be more costly than just letting everyone download it straight away.
35. Re:Why isn't this auto-update? by Macgrrl · 2014-09-30 11:42 · Score: 1
  
  I don't understand, can you please express this as a car analogy.
  
  --
  Sara
  Designer, Gamer, Macgrrl in an XP World
36. Re: Why isn't this auto-update? by unixisc · 2014-09-30 12:01 · Score: 2
  
  Yeah, but since GPL3, Apple doesn't touch GPL code w/ a bargepole - GCC and Samba have both been shown the door. Which is why it's surprising that Apple uses bash, when they have the source code to a lot of closed shells, courtesy their ownership of both NEXTSTEP and in ancient times, A/UX
37. Re: Why isn't this auto-update? by kybred · 2014-09-30 15:07 · Score: 2
  
  Bash 3.2 is still under the GPL v2.
38. Re:Why isn't this auto-update? by kybred · 2014-09-30 15:11 · Score: 1
  
  The knowledge base article on the update only mentions CVE-2014-6271 and CVE-2014-7169.
39. Re:Why isn't this auto-update? by Psykechan · 2014-10-01 04:14 · Score: 1
  
  10.6.8 is only 3 years old. 10.6 itself is only 5 years old. Why not patch it?
  Oh right, 10.6.8 is the last OS X version to have support for PPC and not require users to use the Mac App Store just to get the updates. Of course they want to kill it.
  Apple is dead to me.
40. Re: Why isn't this auto-update? by Plumpaquatsch · 2014-10-03 07:08 · Score: 1
  
  That's not a "dirty secret". Having a single component that launches all daemons is a laudable improvement over the adhoc, multiple methods that had grown up in Unix like OSs.
  Linux has political problems between Linus and the systemd team, and systemd may be overreaching. None of which is relevant to OSXs entirely different component launchd.
  And if anyone thinks there's any copying going on here, take note of the direction - OSX launchd dates back to 2005. Linux systemd to 2010.
  Not to mention that launchd is Open Source.
  
  --
  Of course news about a fake are Fake News.
41. Re: Why isn't this auto-update? by Plumpaquatsch · 2014-10-03 07:20 · Score: 1
  
  There will be. Unfortunately, those who would take over our computers do not share our lack of imagination.
  The question is: will those case already be fixed by the existing "fast" patches? At least the first patch (that everybody but Apple rushed out) was nothing but duct tape over the big visible hole. It certainly didn't fix the underlying problem.
  
  --
  Of course news about a fake are Fake News.
42. Re: Why isn't this auto-update? by unixisc · 2014-10-05 10:48 · Score: 1
  
  Doesn't matter - with all the other closed source shells out there, as well as BSDL licensed open source shells, like ash, it's surprising that Apple would be using bash at all - particularly when unlike Samba or GCC, there is a bonanza of alternatives out there.
43. Re:Why isn't this auto-update? by Anonymous Coward · 2014-10-12 21:13 · Score: 0
  
  And here we still have no official patch for this. Oct 13th. No updates. They're really on top of things over there.
I have an idea by buchner.johannes · 2014-09-30 00:58 · Score: 1

How about releasing a version of bash that has function passing disabled. That would be safer and we can find out what breaks.

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
1. Re:I have an idea by Anonymous Coward · 2014-09-30 01:05 · Score: 5, Funny
  
  How about releasing a version of bash that has function passing disabled. That would be safer and we can find out what breaks.
  If only bash were open source, one could do this themselves instead of hoping others might do it for them.
2. Re:I have an idea by DaCo · 2014-09-30 01:06 · Score: 1
  
  How about releasing a version of bash that has function passing disabled.
  I misread that as parsing and got very scared.
  
  --
  DELETE MY ACCOUNT
3. Re:I have an idea by ihtoit · 2014-09-30 01:07 · Score: 1
  
  ...or you could do it yourself, BASH is open source.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
4. Re:I have an idea by hweimer · 2014-09-30 01:27 · Score: 1
  
  How about releasing a version of bash that has function passing disabled.
  People are using this feature and taking it away will break stuff. The latest update (not sure whether Apple already ships it) stores all function definitions with a prefix of BASH_FUNC_, and function definitions are disabled for all variables not starting with the prefix. This allows to retain the feature, but prevents the execution of malicious code at the same time.
  
  --
  OS Reviews: Free and Open Source Software
5. Re:I have an idea by Anonymous Coward · 2014-09-30 01:28 · Score: 3, Interesting
  
  Hey, not me. I'm expecting the open source community to do it for me for no cost, while I sip mojitos.
6. Re:I have an idea by mjtaylor24601 · 2014-09-30 01:33 · Score: 1
  
  ...or you could do it yourself, BASH is open source.
  Maybe the GP is not a programmer and is thus not able to do it himself. Open source is great but it's not a magic panacea.
  I suppose he could hire someone to do it for him but complaining on /. is just way easier ;-)
  
  --
  I wish I were as sure of anything as some people are of everything
7. Re:I have an idea by Anonymous Coward · 2014-09-30 01:35 · Score: 1
  
  I have this crazy idea: since we are not immortal and a day only has 24 hours, how about we figure out some way to assign tasks to different people? Ideally, there would be some incentive that would allow one to buy food while working for the common good. Maybe I could trade my cooking skills for your skills in removing security flaws from software. But wait, we could even make this more abstract so we don't have to trade directly. Maybe some number that one could increase by working and decrease by taking advantage of the work of others? If only such a thing existed.
8. Re:I have an idea by Anonymous Coward · 2014-09-30 01:48 · Score: 1
  
  After you get familiar with the 100k line codebase and figure out where to precisely place the fix, that is.
9. Re:I have an idea by Anonymous Coward · 2014-09-30 01:53 · Score: 1
  
  I hope you're ready for a lot of cooking.
10. Re:I have an idea by Anonymous Coward · 2014-09-30 02:05 · Score: 1
  
  This sounds needlessly complicated. Let's just each do what we can for others in, say, seven hours on four days of every week, and leave the rest to our leisure.
11. Re:I have an idea by DarkOx · 2014-09-30 02:31 · Score: 1
  
  You mean like practically everyone's .profile
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
12. Re:I have an idea by jythie · 2014-09-30 02:51 · Score: 1
  
  Even if one is a programmer and is able to do it themselves, what most of us probably want is to be sure the websites that we interact with have updated their versions, and a lot of companies (or their admins) stick to what has been fixed and pushed out rather then hack their local versions.
13. Re:I have an idea by Dunkirk · 2014-09-30 02:57 · Score: 1
  
  There's a cutoff where it's useful to say that "you can do it yourself." I *am* a programmer, and have been for 35 years or so. One thing that annoyed me -- "back in the day" -- was Evolution's spotty support for Palm Pilot synchronization. I was fiddling with Gentoo's portage versions of the program and the various libraries so much that I finally downloaded the source for Evolution, and started to look at where the code that governed this problem lived. I recall asking someone a question about the source on some forum (or maybe IRC), and was told by one of the developers that what I was after was so deep that I probably be better off not fooling with it. I looked at it a little longer, and concluded he was right. It would have taken me hundreds of hours to find and fix the problem I was seeing, and then I'd have to apply the patch to a version that had been updated underneath me while I worked on it, leading to other hassles. The process would have been quite elaborate, and this is my point: Waiting for the person who knows, roughly, WHERE the problems are, and already has a good idea of HOW TO FIX IT is usually worth the time savings, even if you DO know how to code.
  Palm died not too long after, and I finally got an iPhone.
  
  --
  Acts 17:28, "For in Him we live, and move, and have our being."
14. Re:I have an idea by tom17 · 2014-09-30 03:27 · Score: 1
  
  The profile is sourced after the bash shell has already initialised. If my understanding is correct, the exploits are triggered because bash parses the environment during initialisation.
  Not sure if this is 100% correct, or if there is a difference in before vs after parsing, but if I am correct, this would not affect user profiles.
  Anyone care to expand?
15. Re:I have an idea by swillden · 2014-09-30 03:49 · Score: 1
  
  This sounds needlessly complicated. Let's just each do what we can for others in, say, seven hours on four days of every week, and leave the rest to our leisure.
  So... you're suggesting that we apply the open source notion of "everyone works on what interests them" to all productive labor? While I'm a big fan of open source, that approach has real and obvious problems. Are you going to volunteer to maintain the sewage treatment plants?
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
16. Re:I have an idea by Anonymous Coward · 2014-09-30 04:03 · Score: 0
  
  We did: https://github.com/akamai/bash
17. Re:I have an idea by Anonymous Coward · 2014-09-30 04:22 · Score: 0
  
  From each according to their ability, to each according to their need.
18. Re:I have an idea by nblender · 2014-09-30 04:32 · Score: 1
  
  Also... As an open source contributor and also long time software developer, there's no end of things to sink my spare time into, but my spare time is already alloted to other projects (some of them open source)... Sometimes I just want to flop on the couch and watch TV but {mythtv,xbmc,plex} is broken in a way that prevents me from doing it... So yes, I might be capable of fixing it myself, assuming I could find the bug in source I don't know, figure out the correct fix, that isn't going to break a dozen other things I don't understand, and test it, and then sign on to whatever website/forum/mailing-list/whatever in order to submit the patch, blah blah blah... SOMETIMES I JUST WANT TO WATCH TV!
19. Re:I have an idea by Anonymous Coward · 2014-09-30 04:46 · Score: 0
  
  Here you go
  http://svnweb.freebsd.org/ports?view=revision&revision=369341
20. Re:I have an idea by fnj · 2014-09-30 05:00 · Score: 1
  
  Unless of course the malefactors know this and stick BASH_FUNC_ in front of their exploit strings.
21. Re:I have an idea by DarkOx · 2014-09-30 05:07 · Score: 1
  
  I think you are correct on this point, I was a little too quick. Still I suspect there would be issues; which people who make heavy use of the shell would 'feel'
  Consider ssh->bash->screen->bash. The first bash will be a login shell that sources the profile, the second will be a subshell, and would no longer have the functions defined. Sure there are plenty of ways to 'solve' that problem but will certainly require some alterations to common work flows.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
22. Re: I have an idea by Anonymous Coward · 2014-09-30 05:07 · Score: 0
  
  Tried it, the elite on the other side saw it as a threat and sabatoged it.
23. Re:I have an idea by profplump · 2014-09-30 06:04 · Score: 1
  
  If I can't otherwise have sewage treatment -- yes, definitely.
24. Re:I have an idea by hweimer · 2014-09-30 06:13 · Score: 2
  
  Unless of course the malefactors know this and stick BASH_FUNC_ in front of their exploit strings.
  This won't work because an attacker will only be able to manipulate the content of some environment variable, but not its name. And being able to manipulate arbitrary environment variables has always been equivalent to being able to execute arbitrary code. Think LD_PRELOAD or IFS, for example.
  
  --
  OS Reviews: Free and Open Source Software
25. Re:I have an idea by swillden · 2014-09-30 06:55 · Score: 1
  
  If I can't otherwise have sewage treatment -- yes, definitely.
  And the 10,000 other, similar, issues? There are lots of things that need to be done but no one really wants to do. If the solution is that everyone must do those things themselves then we lose much of the advantages of specialization.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
26. Re:I have an idea by Swave+An+deBwoner · 2014-09-30 07:03 · Score: 1
  
  Hey, the last update is 4 days ago. What have you guys done for me recently?
27. Re:I have an idea by TechyImmigrant · 2014-09-30 07:44 · Score: 1
  
  > an attacker will only be able to manipulate the content of some environment variable, but not its name.
  How can this be true?
  I just tried and successfully passed the variable "_BASH_FUNC_thingy" with the value "my_attack" through my apache web server to a CGI script using a url entered into a browser.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
28. Re:I have an idea by Noah+Haders · 2014-09-30 08:04 · Score: 1
  
  +1 million. it's not about being incompetent or not knowing how to do it. it's that we're all busy with life and don't have free hours to dive in to something like this. outside of work I recently picked up a new "hobby" and it poops all the time and wakes me up in the middle of the night
29. Re:I have an idea by BasilBrush · 2014-09-30 09:17 · Score: 1
  
  While I'm a big fan of open source, that approach has real and obvious problems.
  The problems show themselves just as much in software as anywhere else. e.g. People would much prefer to create new code than do code reviews or write tests, so defects in open source software linger around for a decade or two.
30. Re:I have an idea by swillden · 2014-09-30 11:10 · Score: 1
  
  While I'm a big fan of open source, that approach has real and obvious problems.
  The problems show themselves just as much in software as anywhere else. e.g. People would much prefer to create new code than do code reviews or write tests, so defects in open source software linger around for a decade or two.
  Exactly. The approach does have a lot of benefits, but there are some negatives as well.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
31. Re:I have an idea by hweimer · 2014-09-30 20:28 · Score: 1
  
  I just tried and successfully passed the variable "_BASH_FUNC_thingy" with the value "my_attack" through my apache web server to a CGI script using a url entered into a browser.
  No, you get something like QUERY_STRING="_BASH_FUNC_thingy=my_attack", which is harmless because function definitions inside QUERY_STRING are not being evaluated after the last update.
  
  --
  OS Reviews: Free and Open Source Software
32. Re:I have an idea by fnj · 2014-10-01 02:50 · Score: 1
  
  Thank you. Very clear thinking.
33. Re:I have an idea by TechyImmigrant · 2014-10-01 05:08 · Score: 1
  
  I just tried and successfully passed the variable "_BASH_FUNC_thingy" with the value "my_attack" through my apache web server to a CGI script using a url entered into a browser.
  No, you get something like QUERY_STRING="_BASH_FUNC_thingy=my_attack", which is harmless because function definitions inside QUERY_STRING are not being evaluated after the last update.
  No I didn't. I'll play with bash versions and see if there was a change. I don't think so though.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
that was fast by ihtoit · 2014-09-30 01:00 · Score: 1

only took them five days to fix from the disclosure.

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
1. Re:that was fast by Anonymous Coward · 2014-09-30 01:06 · Score: 0
  
  Is this being ironic....?
2. Re:that was fast by Anonymous Coward · 2014-09-30 01:11 · Score: 0
  
  Yeah it's a big company, they have a very different process than the neckbeards. Stop patting yourself on the shoulder now.
3. Re:that was fast by Anonymous Coward · 2014-09-30 01:17 · Score: 0
  
  I hope that's sarcasm. Every other distro had this fixed last week. Apple are only fixing one instance and leaving it broken elsewhere. They're not at risk anyway, no one uses OS X for hosting.
4. Re:that was fast by zerosomething · 2014-09-30 01:19 · Score: 4, Interesting
  
  Unfortunately Apple knows very few actually run OS X server and Apache through it so the possible compromised systems, in their eyes, was very small. i.e. not a big deal to get this out fast. What they don't realize is that a large number of institutions actually use their server product to manage all the Macs in the institution. If the servers were compromised then all the clients would then be at risk. Think instant Mac bot net! Fortunately this is open source software and you can patch it your self but most Mac servers are run by people that don't know how to do that. Sigh...
  
  --
  It all starts at 0
5. Re:that was fast by Bing+Tsher+E · 2014-09-30 01:22 · Score: 3, Funny
  
  Mac servers? You mean that SE/30 running the Pokeytalk network, with the Laserwriter attached to it?
6. Re:that was fast by amiga3D · 2014-09-30 01:28 · Score: 1
  
  Those do still exist. I saw a laserwriter at my local library hooked up to some ancient Apple box.
7. Re:that was fast by jones_supa · 2014-09-30 01:37 · Score: 1
  
  How is the DHCP client handling done in OS X: was there a similar risk like in Linux distros, whose dhclient scripts became vulnerable?
8. Re:that was fast by DarkOx · 2014-09-30 01:46 · Score: 1
  
  Not sure on the exact details of OSX DHCP handling (did not dig through it all) but no it was not vulnerable, based on a quick empirical test.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
9. Re:that was fast by Anonymous Coward · 2014-09-30 01:56 · Score: 0
  
  There are benefits to both strategies. The Linux distros could mitigate the problem more quickly, which certainly has value. On the other hand, it took a couple of attempts for them to get it right. In Apple's case, 5 days is not that unreasonable if you run the patch through a bit more rigorous QA and make sure that all the pieces are in place.
10. Re:that was fast by Anonymous Coward · 2014-09-30 01:57 · Score: 0
  
  Pretty sure the word you were looking for was "sarcastic," not "ironic."
11. Re:that was fast by Anonymous Coward · 2014-09-30 02:04 · Score: 0
  
  I think OSX uses SystemD, so it is INVULNERABLE!
12. Re: that was fast by Anonymous Coward · 2014-09-30 02:23 · Score: 0
  
  Wasn't it because of a restriction of GPL 3 license that apple had to roll their own.
  I can't remember the exact details, but m pretty shire that's the case
13. Re: that was fast by Anonymous Coward · 2014-09-30 02:38 · Score: 0
  
  Actually, I know a number of people that have mac servers with externally facing web services.
  MacPractice is a mac based EMR that has a web portal for patient login.
  Then there are programs like Rumpus, CrushFTP, Xinet, etc.
14. Re:that was fast by tom17 · 2014-09-30 02:42 · Score: 1
  
  But they are not all in place, there was no mention in the apple security announcement of CVE-2014-6277 or CVE-2014-6278 being fixed...
15. Re:that was fast by TheRaven64 · 2014-09-30 02:51 · Score: 1
  
  The dhcp client in OS X runs sandboxed (I believe), so there's less potential for an attacker to exploit it if they can make it run arbitrary things - it doesn't have general filesystem access.
  
  --
  I am TheRaven on Soylent News
16. Re: that was fast by Noah+Haders · 2014-09-30 04:06 · Score: 1
  
  you're pretty shire? are you a hobbit?
17. Re: that was fast by BronsCon · 2014-09-30 04:14 · Score: 1
  
  And what of Bonjour? Anyone running their mac connected directly to a cable or DSL modem because "I only have on computer, so why do I need a router?" is potentially vulnerable, and we have no reason to believe otherwise until we see the source for Bonjour to prove that it makes no system calls. It's cross-platform, so you can be sure it's not relying on cocoa APIs.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
18. Re:that was fast by BronsCon · 2014-09-30 04:15 · Score: 1
  
  but if that sandbox can ping...
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
19. Re:that was fast by smash · 2014-09-30 04:17 · Score: 2
  
  Apple are likely more concerned with breaking apps that may depend on certain behaviour and actually QA testing their shit before putting it out to 100 million users or so and dealing with the fall out from "it just works" breaking. Linux is an entirely different kettle of fish, where breaking people's shit because you don't like company X or you have an ideology conflict is "acceptable".
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
20. Re:that was fast by smash · 2014-09-30 04:18 · Score: 1
  
  You men the mac servers that don't run mod_cgi?
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
21. Re:that was fast by smash · 2014-09-30 04:19 · Score: 1
  
  No, the OS X dhcp client is not hacked together with shell scripts.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
22. Re:that was fast by Anonymous Coward · 2014-09-30 04:34 · Score: 0
  
  But he used the "this" keyword reffering to his own post, that which contained "this".isIronic() and as such should return true;)
23. Re:that was fast by jones_supa · 2014-09-30 04:50 · Score: 1
  
  Ok, thanks for the info.
24. Re:that was fast by Anonymous Coward · 2014-09-30 05:05 · Score: 0
  
  Capitalize systemd properly you retard. You are posting this clueless moronic spelling in every slashdot article.
25. Re:that was fast by Swave+An+deBwoner · 2014-09-30 07:39 · Score: 1
  
  Papa's gonna buy me a diamond ring?
26. Re: that was fast by jo_ham · 2014-09-30 08:04 · Score: 1
  
  Bonjour is just Apple's implementation of Zeroconf. It's freeware, with the core components of it under the Apache licence.
  Have a look through the code yourself "to be sure". https://developer.apple.com/bo...
27. Re:that was fast by Culture20 · 2014-09-30 08:06 · Score: 1
  
  but if that sandbox can ping...
  Papa's gonna buy you a diamond ring.
28. Re:that was fast by Noah+Haders · 2014-09-30 08:08 · Score: 1
  
  under your interpretation, the post would certainly be self-referential but not ironic.
29. Re:that was fast by macs4all · 2014-09-30 09:13 · Score: 0
  
  I hope that's sarcasm. Every other distro had this fixed last week. Apple are only fixing one instance and leaving it broken elsewhere. They're not at risk anyway, no one uses OS X for hosting.
  Speak for yourself. Maybe not too often on a commercial scale; but there are many OS X boxen that have one or more "listeners" a-listenin'.
  
  And didn't I read something about CUPS being possibly an attack vector? That makes it only Every. Single. Mac.
  
  And all it takes is someone not understanding how Port Forwarding works, and going "F-it." I'm just gonna put my machine in my Router's DMZ..."
30. Re:that was fast by macs4all · 2014-09-30 09:20 · Score: 0
  
  I think OSX uses SystemD, so it is INVULNERABLE!
  Actually, it uses Apple's own creation, "launchd", which they Open Sourced.
31. Re:that was fast by BasilBrush · 2014-09-30 09:39 · Score: 1
  
  Which is probably why this is a quick and dirty downloadable patch, rather than a proper OS update available to all with auto-update.
  Those who have systems that open up BASH to the internets can get this partial fix, and get subsequent ones as BASH fixes progress. Those 99.999% for whom it's not relevant aren't bothered with pointless updates.
32. Re:that was fast by Anonymous Coward · 2014-09-30 10:22 · Score: 0
  
  I think OSX uses SystemD, so it is INVULNERABLE!
  Actually, it uses Apple's own creation, "launchd", which they Open Sourced.
  Except, of course, that the Linux world can't/won't use it because it isn't under the almighty GPL, the "one license to rule them all".
33. Re:that was fast by Anonymous Coward · 2014-09-30 15:01 · Score: 0
  
  I think OSX uses SystemD, so it is INVULNERABLE!
  Actually, it uses Apple's own creation, "launchd", which they Open Sourced.
  Except, of course, that the Linux world can't/won't use it because it isn't under the almighty GPL, the "one license to rule them all".
  So, they can't/won't use the APSL, because Apple, who wrote the software, allows it to be included in Proprietary software, which The GPL has Deemed to be Unclean.
  However, I posit this: If the GPL controls the disposition of the Author's software beyond the point at which the Author herself even wishes, in exactly which way is that "Free"?
  But now that launchd is Apache 2.0, what's the problem?
34. Re: that was fast by Anonymous Coward · 2014-10-01 00:27 · Score: 0
  
  nah, horse
Re:Exploit that only affects Mac and Linux by Anonymous Coward · 2014-09-30 01:18 · Score: 1

This is the kind of thing people on the slashdot of yesteryear thought were impossible. Remember when people would post that Apple computers and/or Linux wasn't vulnerable like Windows?
Good times. I mean, I'm not trying to claim Windows has improved in security that it's no longer the easiest target or anything. Just that things have changed since that bygone era.
You, user 'i kan reed', are the worst thing about this 'modern era' of Slashdot. How you can remember that era and post such thoughtless, trivial and inane tripe is beyond me. Was it the "sexy beta" that attracted your type?
Re:Exploit that only affects Mac and Linux by nuonguy · 2014-09-30 01:18 · Score: 5, Insightful

At least it's still news when we learn about Mac and Linux vulnerabilities. :-)
Re:Exploit that only affects Mac and Linux by Anonymous Coward · 2014-09-30 01:23 · Score: 1, Funny

Goood, let the butthurt flow through you.
Re:Exploit that only affects Mac and Linux by Anonymous Coward · 2014-09-30 01:23 · Score: 0

Linux is pretty solid at this point, however the free ecosystem is absolutely full of additional software that is used by default in allmost all installations that is much more suspect. The caliber of the people who build and maintain this software just is not on par with the people who are employed at professional software design houses, the testing is not as rigorous, and the source code is available for people to inspect for attack vectors. Yet people think nothing of installing this on mission-critical systems and loading it up with sensitive data. It's a ticking time bomb, and this is likely just the blasting cap going off.
Re:Exploit that only affects Mac and Linux by Wootery · 2014-09-30 01:31 · Score: 3, Insightful

It's a ticking time bomb, and this is likely just the blasting cap going off.
So you're expecting an 'explosion' even worse than Shellshock and co?
I doubt it. Bash will be hammered on, and will be made more secure, in the coming weeks.
Re:Exploit that only affects Mac and Linux by Amorymeltzer · 2014-09-30 01:33 · Score: 1

I actually like this piece which makes the argument that it's not a bug, but a feature:

I would argue that the bash security concern is not a bug. It is clearly a feature. Admittedly, a misguided and misimplemented feature, but still a feature. The problem is that it was designed 25 years ago. ...The problem we have is not a bash bug, but is basically similar to the Ariane 5 bug: using a component from an earlier systems out of specifications.

--
I live in constant fear of the Coming of the Red Spiders.
Re:Exploit that only affects Mac and Linux by amiga3D · 2014-09-30 01:36 · Score: 1

Only the idiots claimed it was impossible. It was much more unlikely because Windows was designed at the time from the ground up to be backdoored. It was literally defective by design. It has come a long way and malware makers have also gotten much more sophisticated. A lot of them are users of linux and unix systems and naturally enough they now design for those systems as well. One reason is that the newer linux distros are not as security focused as the old days. People routinely log into a user account that has all kinds of priviledges that once were reserved to the root user. The continual drive for the latest and greatest features has led to using the testing branch of debian as well. At this moment I'm on a machine runniing SparkyLinux 3.5 which is derived from the debian testing repos and I'd never use it for banking or anything like that.
Re:Exploit that only affects Mac and Linux by Anonymous Coward · 2014-09-30 01:44 · Score: 1

NT security model is vastly superior to mathematically unsound, outdated Unix security model, which most of Linux installations still use.
Re:Exploit that only affects Mac and Linux by amiga3D · 2014-09-30 01:51 · Score: 1

I wouldn't go that far. Windows installations routinely get reamed. It's better but I wouldn't call it secure. I've got a secure linux install on a seperate laptop for banking and such and it's locked down like Fort Knox. As I only use it for things I'm paranoid about I'd say it's pretty safe. I'd rather bet on it than Windows.
Re:Exploit that only affects Mac and Linux by DarkOx · 2014-09-30 02:02 · Score: 1

Yes but the problem is and has always been Microsoft does not really use the NT security model but instead "re-implements" lots of controls in upper layers. Those layers in the past tended to be running with pretty high NT model privileges (that has gotten much better).

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Re:Exploit that only affects Mac and Linux by Anonymous Coward · 2014-09-30 02:06 · Score: 0

NT security model is vastly superior to mathematically unsound, outdated Unix security model, which most of Linux installations still use.
Which is why it takes two weeks and three requests to be able to install software on my Windows box at any job I've worked. Honestly, it doesn't matter how superior something is if it's run by idiots or if it's so "advanced" that no one will knows how it works.
Re:Exploit that only affects Mac and Linux by DarkOx · 2014-09-30 02:10 · Score: 1

Passing functions on environment variables is a feature, executing code after the function definition is parsing error.
As the article states is was never documented, and after trying really hard can't think of legitimate reasons to do it when there is a defined documented method for executing statements in the subshell via arguments "-c"
Which is not say, it was never done via someone doing some "clever" programing but if it was it probably was not a "good idea"
So no I think its bug, and a bit dishonest to try an spin it otherwise.

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Re:Exploit that only affects Mac and Linux by i+kan+reed · 2014-09-30 02:27 · Score: 1

I'm just saying a few years ago, we had an awful lot of that variety of idiot.
Re:Exploit that only affects Mac and Linux by UnknowingFool · 2014-09-30 02:29 · Score: 1

This is the kind of thing people on the slashdot of yesteryear thought were impossible. Remember when people would post that Apple computers and/or Linux wasn't vulnerable like Windows?
No what people have said is that Windows was vulnerable in different ways than Linux or Unix. Viruses were/are a huge problem for Windows machines and largely a Windows problem. All machines can be compromised with a Trojan if the user allows it to run. Vulnerabilities affect all systems but Linux, Unix, and OS X are built differently than Windows.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
No sensible person ever though it was impossible by daveschroeder · 2014-09-30 02:31 · Score: 2, Informative

But even here, again, when you look at a typical OS X desktop system, now many people:
1. Have apache enabled AND exposed to the public internet (i.e., not behind a NAT router, firewall, etc)?
2. Even have apache or any other services enabled at all?
...both of which would be required for this exploit. The answer? Vanishingly small to be almost zero.
So, in the context of OS X, it's yet another theoretical exploit; "theoretical" in the sense that it effects essentially zero conventional OS X desktop users. Could there have been a worm or other attack vector which then exploited the bash vulnerability on OS X? Sure, I suppose. But there wasn't, and it's a moot point since a patch is now available within days of the disclosure.
And people running OS X as web servers exposed to the public internet, with the demise of the standalone Mac OS X Server products as of 10.6, is almost a thing of yesteryear itself.
Nothing has changed since that era: all OSes have always been vulnerable to attacks, both via local and remote by various means, and there have been any number of vulnerabilities that have only impacted UN*X systems, Linux and OS X included, and not Windows, over very many years. So yeah, nothing has changed, and OS X (and iOS) is still a very secure OS, by any definition or viewpoint of the definition of "secure", when viewed alongside Windows (and Android).
Re:Exploit that only affects Mac and Linux by Anonymous Coward · 2014-09-30 02:35 · Score: 0

When Mac and Linux and *nix can get infected by drive-bys then your post might have a point. And Windows has increased in security. But still remains the easiest and most supple target because of its security-by-obscurity (i.e. closed source) nature, and clown car mentality towards security built into it from the beginning.
Re:Exploit that only affects Mac and Linux by jbolden · 2014-09-30 03:04 · Score: 1

Exactly. This is a problem Microsoft has had for several decades they lack mechanisms to generate internal consensus. So they build a capabilities based security model but then don't build all the tools and support that their user community will need to make it work so everyone just runs as admin. Then they tone it down and put a permissions based system in place. But that still has problems. Then they start tightening and then use sandboxing for yet another capabilities system...
Mac's don't get viruses. . . by Mr_Wisenheimer · 2014-09-30 03:22 · Score: 1

. . . until they do.
With more Apple computers running in high-value commercial enterprises, one has to wonder why they are so lax about security.
1. Re:Mac's don't get viruses. . . by Anonymous Coward · 2014-09-30 03:43 · Score: 0
  
  Simple... They run XP in their own labs.
  http://cdn2.vox-cdn.com/entry_photo_images/12792982/DSCF7922_verge_super_wide.jpg
2. Re:Mac's don't get viruses. . . by mean+pun · 2014-09-30 03:57 · Score: 1
  
  Who is lax about security? Apple? Why do you think so?
3. Re:Mac's don't get viruses. . . by Mr_Wisenheimer · 2014-09-30 04:14 · Score: 1
  
  The OS X BASH vulnerability patch is still not available as an automatic update whereas most Linux repositories had one available within 72 hours of the exploit. Studies of operating system security show that vulnerabilities in OSX persist the longest without being patched (assuming you discount big server OS's like Solaris) while Windows is patched the quickest. [1]
  It shows a huge difference in attitudes, in my opinion. Microsoft is enterprise focused, so they take security vulnerabilities very seriously. Apple is consumer focused, so they consider security to be a luxury that few of their customers care about.
  [1]
  http://arstechnica.com/apple/2...
4. Re:Mac's don't get viruses. . . by Anonymous Coward · 2014-09-30 04:16 · Score: 0
  
  Apparently no more lax than Linux. Why don't you go troll those people?
5. Re:Mac's don't get viruses. . . by unimacs · 2014-09-30 04:50 · Score: 1
  
  - Your study is 6 years old.
  - RedHat was the only linux distro in the survey that I saw
  - The nature of the vulnerabilities that Microsoft typically patched was quite a bit different from those in the other operating systems studied.
  
  I really doubt it's a difference in attitude. It could simply be that considering that considering their user base, Apple puts any patches through a much more rigorous testing than a linux distro typically does. They may (correctly) conclude that a rushed patch could do more harm in less time than most of the vulnerabilities that are identified.
6. Re:Mac's don't get viruses. . . by mean+pun · 2014-09-30 04:58 · Score: 1
  
  I'm sorry, but I can't get exited about two days to fix one vulnerability (Major Linux distributions) versus five days to fix most, if not all known vulnerabilities (Apple). The fix is there, and I'm glad they took the time to do some additional testing, especially because bash on Mac OS X is something that a large majority of users will not even run, and those that do will mostly only use it for their command line handling. Remote exploitation is just not possible with the default settings, so I don't care that Apple is a little slower.
  Similarly, I am glad that there was a quick fix for my Debian box, because there the vulnerability was critical, and I have seen in the log files that people were trying to exploit it.
  This neatly demonstrates that the statistics you mention are meaningless. The tradeoff between quick and solid is always there, and it is likely that Microsoft more often had to deal with bugs that required urgent fixes; they still have a lot of legacy to deal with.
  In general, I don't see any signs that Apple is lax about security. They may be a little slow, but usually the fix is worth the wait, and they're also pretty good at avoiding problems in the first place.
7. Re:Mac's don't get viruses. . . by Mr_Wisenheimer · 2014-09-30 05:13 · Score: 1
  
  1. I have seen no evidence that Apple has increased the speed of its patching of security vulnerabilities since the study was conducted (this latest patch delay being just one example). Do you have any evidence that Apple has changed?
  2. Red Hat is the best-supported corporate Desktop Linux distro, so it makes since to use them as a base of comparison as opposed to something more consumer-oriented like Ubuntu.
  3. Multiple other studies have show that Apple lags behind in fixing security flaws.[1] [2]
  Do you have any actual quantitative data to present to provide some context or counterpoint to the data I have presented, because speculation and cherry-picking is not really a valid criticism. The truth is in the numbers.
  SOURCES:
  [1] http://www.huffingtonpost.com/...
  [2] http://www.zdnet.com/blog/secu...
8. Re:Mac's don't get viruses. . . by unimacs · 2014-09-30 08:21 · Score: 2
  
  Your first source sites a report from Trend Micro that barely mentions OS X. It shows a chart with the number of vulnerabilities by vendor but it doesn't make any effort to characterize the severity of the vulnerabilities or the likelihood of being affected by them.
  
  Your second source is not a study or report at all but the opinion of a guy selling security software. I'm not saying his opinion isn't worth anything, only that he stands to gain by scaring OS X users into buying his software. And just as an aside, I wouldn't be surprised if more systems have been compromised in some way by anti-virus software than any single virus.
  
  I'm sorry but I don't think comparing MS to RedHat is valid. They have a much different user base. The report you listed in your original post went as far as to say that MS was mostly patching client vulnerabilities (in browsers and such) that potentially affect huge numbers of systems many of which are operated by people who are less knowledgeable and more vulnerable to things like trojans. In those cases I agree you need to move quickly.
  
  Something like Shellshock might potentially affect something like 2% of all Macs, (if not less) while a patch affects are large percentage of them. You'd better make sure you don't screw up something in that patch. The majority of Mac users are not like linux users who can easily recover from a bad patch.
9. Re:Mac's don't get viruses. . . by Culture20 · 2014-09-30 09:21 · Score: 1
  
  It could simply be that considering that considering their user base, Apple puts any patches through a much more rigorous testing than a linux distro typically does.
  Yeah, I was really pissed when RHEL released a patch for a kernel bug last week and it disabled the phone app on my iPhone. *#$^ing RedHat.
10. Re:Mac's don't get viruses. . . by unimacs · 2014-09-30 10:03 · Score: 1
  
  It could simply be that considering that considering their user base, Apple puts any patches through a much more rigorous testing than a linux distro typically does.
  Yeah, I was really pissed when RHEL released a patch for a kernel bug last week and it disabled the phone app on my iPhone. *#$^ing RedHat.
  Not exactly sure what you're trying to say but let me clarify my statement. Apple's users require more hand holding than RHEL users. I'm very serious when I say that Redhat's patch testing process may not be as rigorous as Apple's and I will add that because of the differences in user base, it doesn't have to be.
  
  I wasn't slamming RedHat or linux at all if that's what you thought.
11. Re:Mac's don't get viruses. . . by Culture20 · 2014-09-30 10:19 · Score: 1
  
  I was making a reference to the recent Apple patch that disabled the phone on the iPhone.
  http://support.apple.com/kb/DL...?
  
  This release contains improvements and bug fixes, including:
  Fixes an issue in iOS 8.0.1 that impacted cellular network connectivity and Touch ID on iPhone 6 and iPhone 6 Plus
  On their new flagship phones for iOS8. If Apple devs were really that thorough, I doubt that would have passed the first round of tests. On the other hand, I've noticed patches on RHEL take longer to release than Ubuntu which take longer than other Linux distros. But I'm not sure OSX is delayed due to rigorous testing.
12. Re:Mac's don't get viruses. . . by unimacs · 2014-09-30 10:32 · Score: 1
  
  I was making a reference to the recent Apple patch that disabled the phone on the iPhone. http://support.apple.com/kb/DL...?
  
  This release contains improvements and bug fixes, including: Fixes an issue in iOS 8.0.1 that impacted cellular network connectivity and Touch ID on iPhone 6 and iPhone 6 Plus
  On their new flagship phones for iOS8. If Apple devs were really that thorough, I doubt that would have passed the first round of tests. On the other hand, I've noticed patches on RHEL take longer to release than Ubuntu which take longer than other Linux distros. But I'm not sure OSX is delayed due to rigorous testing.
  Because no linux distro ever releases a patch with bugs... right? ;-)
  
  Anyway. I said the process might have to be more rigorous. I didn't say it was flawless. And the whole 8.0.1 debacle only adds to my point. A patch can sometimes do more damage that what it's trying to fix. Better to take a couple extra days to get it right than to get it out as quickly as possible but screw it up.
13. Re:Mac's don't get viruses. . . by Anonymous Coward · 2014-10-07 03:10 · Score: 0
  
  Because no linux distro ever releases a patch with bugs... right? ;-)
  If someone claims that Apple is super-amazing-perfect at patch testing, then it's valid to point out evidence that that isn't the case. It doesn't matter that others also aren't perfect, if no-one ever claimed they were perfect in the first place.
Re:Exploit that only affects Mac and Linux by Mr_Wisenheimer · 2014-09-30 03:24 · Score: 1

Sure, but how many server administrators are going to actually update? Linux has a reputation of updates breaking builds and I suspect a lot of budget server administrators don't touch the updates on their Linux boxes once they go live for fear of borking them.
Bashed. by westlake · 2014-09-30 03:36 · Score: 3, Insightful

At least it's still news when we learn about Mac and Linux vulnerabilities. :-)
This is Bash, remember.

Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves.
Bash (Unix shell)
The beta was released in 1989. 25 years ago.
Which makes a perfect farce of the notion that many eyes make all bugs shallow.
AWWWW SHEET, I think I've been HACK#ED! by Thud457 · 2014-09-30 03:54 · Score: 4, Funny

Where's this #%)&@@^ U2 album come from?!
I never asked for this...

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re:Exploit that only affects Mac and Linux by smash · 2014-09-30 04:22 · Score: 1

I like how slashdot are making out that this is more of an apple problem when perhaps 0.0001% of apple users are even running a web server and most of those are using php and not mod_cgi, the dhcp client is not vulnerable, etc.
Yet Linux with dhcp client vulnerable and a whole slew of other system utilities potential vulnerable due to using bash everywhere to glue tools together is given a pass.
bash still isn't fixed properly yet, and until it is, any linux box with a dynamic IP address sis potentially at risk.

--
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Re:No sensible person ever though it was impossibl by smash · 2014-09-30 04:25 · Score: 1

You forgot: mod_cgi needs to be manually turned on in the web server also. If you're running php instead, you are not vulnerable (which makes a change).

--
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Ahh yes by Sycraft-fu · 2014-09-30 04:56 · Score: 1

Everyone should just go and learn C and how to do POSIX programming, attain enough mastery in it to be able to diagnose code for obscure security issues (that have eluded many programmers for years) and then design a secure fix.
And they should do that in a day.
Ya that sounds reasonable.
FYI not only are most people not programmers, and have no interest in becoming programmers, but most lack the kind of brain it takes to be a good programmer. The whole "Oh it is OSS fix it yourself!" argument is a really stupid one.
1. Re:Ahh yes by tibit · 2014-09-30 05:14 · Score: 0
  
  I don't think that those issues have eluded anyone. It's much simpler than that: nobody looked in that mess of code. A lot, and I mean, a lot of core gnu code is sorely due for an overhaul. Heck, I wish they rewrote a lot of it using modern C++ (perahps without iostreams, though). It'd become a much smaller, more manageable code base. Properly done C-to-C++ ports should shed at least 50% of the code outright, possibly much more.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
2. Re:Ahh yes by BasilBrush · 2014-09-30 09:28 · Score: 1
  
  Heck if you're going to rewrite in a more modern language why only move from a 1970s language to a 1980s language?
  C++ does nothing to eliminate the common causes of defects and vulnerabilities - buffer overflows, dangling and unexpectedly nil pointers etc. Nor does it have anything to offer for the modern world of multiprocessing. And it's memory management is primitive.
  If you're going to move forward from the 1970s, do it properly.
3. Re:Ahh yes by tibit · 2014-10-01 04:13 · Score: 1
  
  Only some very awkward C++ would not eliminate this. I have lots and lots of C++ code where buffer overflows and dangling pointers are statically provable not to exist, and it's very obvious by inspection that it can't but be so. All it takes is proper libraries and proper approach. Yes, I see way too much C++ code written like it was Pascal-with-objects. Sigh.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
4. Re:Ahh yes by jeremyp · 2014-10-03 03:02 · Score: 1
  
  If it had been Pascal with objects, we'd have been OK. Pascal does array bounds checking.
  
  --
  All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
5. Re:Ahh yes by tibit · 2014-10-05 03:44 · Score: 1
  
  But doesn't prevent use of dangling pointers and unconstructed objects. So, not very much win, I'd say.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
Open Source is still better by bussdriver · 2014-09-30 05:41 · Score: 1

Apple wouldn't have known about this little known old feature turned security hole if it wasn't for open source. Windows having similar holes, wouldn't benefit from other operating systems discovering common flaws in their code base!
Diversity of the many systems that use BASH also provides increased security. People on linux are going to think twice about risky things involving bash for a while now, while Apple had no such security issues because they jail and limit their DHCP client like freeBSD also does.
The idea that you'd run bash commands as root from a DHCP server is crazy unless you were running servers on a private network (along with NFS) and perhaps this is why linux people didn't have any troubles with their implementation given their needs at the time. What we could use is more linux desktop developers because they'd have freaked out at the proper time and prevented this decades ago.

--
Democracy Now! - uncensored, anti-establishment news
1. Re:Open Source is still better by BasilBrush · 2014-09-30 10:03 · Score: 1
  
  Apple wouldn't have known about this little known old feature turned security hole if it wasn't for open source.
  Apple wouldn't have had this defect if they hadn't used open source. For sure it might (and does) have others, but given it's taken 20 years for this defect to be found, the idea that there is any superior bug finding capability in the open source arena is laughable.
  The myth "With may eyes all defects are shallow" was only ever believed by the naive. Shellshock and Heartbleed have proved it was nonsense. At this time only the religious still believe it.
I rolled my own for 10.6.8 by Anonymous Coward · 2014-09-30 06:41 · Score: 0

I checked this out: http://www.macissues.com/2014/09/25/how-to-unofficially-fix-the-shell-shock-bash-vulnerability-in-os-x/
Then patched and built bash in my macbook pro 10.6.8.
Easy.
GNU :-)
Yosemite too now by ruir · 2014-09-30 08:05 · Score: 1

I have just received news of 3 updates, including the 1st release of the GM image.
ksh by Anonymous Coward · 2014-09-30 08:24 · Score: 0

Never saw a reason to abandon it. Still don't.
Wrong on two counts by sgtrock · 2014-09-30 08:36 · Score: 1

The beta was released in 1989. 25 years ago.
Which makes a perfect farce of the notion that many eyes make all bugs shallow.
1) We don't know when the bug was introduced, although it's clear that it was quite some time ago.
2) I defy you to name any version of any reasonably complex software that is guaranteed to be free of exploitable bugs. It's been shown by people much smarter than me that it's mathmatically impossible to do so. (Just one example thread discussing the problem.)
The difference is that with OSS, they all will eventually get found and fixed. The same can't be said of closed source software.
1. Re:Wrong on two counts by BasilBrush · 2014-09-30 09:50 · Score: 1
  
  1) We don't know when the bug was introduced, although it's clear that it was quite some time ago.
  You may not, but "we" do. I posted last Thursday that this vulnerability dates back to 1994.
  http://slashdot.org/comments.p...
  
  The difference is that with OSS, they all will eventually get found and fixed. The same can't be said of closed source software.
  That's religion, not fact. Furthermore your claim in the previous paragraph that "It's been shown by people much smarter than me that it's mathmatically impossible to do so." means that OSS cannot possibly fix all the bugs.
  You disappear in a cloud of your own illogicality.
2. Re:Wrong on two counts by angel'o'sphere · 2014-09-30 09:54 · Score: 1
  
  The difference is that with OSS, they all will eventually get found and fixed. The same can't be said of closed source software.
  
  That is nonsense. As soon as closed source software has a bug professionals are looking for the source of the bug and hence it gets finally fixed.
  There is bottom line no difference ... as long as the bug is unknown, no one will find it. Or is it your hobby to read OOS C code and "grasp it" and figure potential and true bugs, and on top of that: fix them?
  Which makes a perfect farce of the notion that many eyes make all bugs shallow.
  
  That always was a myth invented be ERS.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
3. Re:Wrong on two counts by Finite9 · 2014-10-01 21:20 · Score: 1
  
  you're wrong.
  "many eyes make all bugs shallow" is logically correct. Take a company with 200 developers working on closed source. Take an open source project which has *the potential* for all developers in all companies that use that FOSS software to be able to look at the source. Not talking users here but all developers worldwide that incorporate that FOSS project into their work or use it in some fashion. It is a statistically higher probability that a bug *has the potential* to be identified quicker and/or fixed quicker with FOSS than with closed source. ESR's statement still stands.
  Now just because there have been bugs that have been around unidentified for decades, does not mean that this is the norm, or that these cases are worse than closed source or an indication that FOSS is wrong in the many eyes theory. You're just trolling.
  Btw, "professionals"? Are you serious? You seriously think that FOSS developers are inferior in their competency compared to a developer who works at a company? You don't have a clue. I work in a large dev team for enterprise software (im not a dev). I have the greatest respect for FOSS developers, because with them, it's a pasion, with devs@company it's a pay check.
  
  --
  "Everyone knows that vi vi vi is the number of the beast" -- Richard Stallman
4. Re:Wrong on two counts by angel'o'sphere · 2014-10-02 03:05 · Score: 1
  
  "many eyes make all bugs shallow" is logically correct. No it is not. Bugs are usually found after they manifest themselves. Then the bug is searched for. Before that, it happens extremely rarely that a bug gets found in the source code.
  It is a statistically higher probability that a bug *has the potential* to be identified quicker and/or fixed quicker with FOSS than with closed source. If that would be the case, we would hear regularly about such bug fixes :D
  Btw, "professionals"? Are you serious? You seriously think that FOSS developers are inferior in their competency compared to a developer who works at a company? I mentioned "hobbyists" did, I not? Of course there are plenty of professional developers in the FOSS area. But there are also plenty of very bad developers.
  E.g. look at the source code of lucene: http://lucene.apache.org/ half of it is completely unmaintainable.
  Before opening your mouth so wide you should perhaps stop simply "using" FOSS but look into the sourcecode or debug it.
  I saw plenty of "bad code" form professionals ... however I saw no real prime example of good code in FOSS.
  The reason why many OSS is _good_ and has relatively low bugs is because a small core team of _professionals_ is crafting it. Not because it is FOSS or because many eyes are looking on it.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
The patch is irrelevant by angel'o'sphere · 2014-09-30 09:31 · Score: 1

Did anyone try to understand how this "bug" works?
Unless you have any service running, connected to the internet, that starts "bash scripts", nothing can happen to your computer.
Or how exactly do you think angel'o'sphere has any way (not chance! WAY!) at all to start a bash script on your computer, exploit the weakness and on top of that gain "super user" privileges?
That is not going to happen for any private mac user who has not running an Apache etc. and has not activated CGI scripts (and a router configured to route port 80 traffic to your Mac).
Sorry, this "Apple is late" mantras are simply bullshit.

--
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
1. Re:The patch is irrelevant by bhiestand · 2014-10-01 06:18 · Score: 1
  
  That is not going to happen for any private mac user who has not running an Apache etc. and has not activated CGI scripts (and a router configured to route port 80 traffic to your Mac).
  In other words, the thousands of businesses and people using xserves or OS X Server to host various sites/apps with the OS-included software?
  
  Sorry, this "Apple is late" mantras are simply bullshit.
  Apple is late. Stupid though it may be, many people are using OSX for servers. Apple did once sell these servers, cater to this market, and have enterprise support. Apple didn't even bother to release a patch for 10.6, even though it is still in use on most of these servers.
  Apple completely dropped the ball.
  
  --
  SWM seeks new sig for a brief fling
2. Re:The patch is irrelevant by angel'o'sphere · 2014-10-02 10:59 · Score: 1
  
  Apple is not more late than the Linux community.
  So what is your point? That there are still 'Mac OS X' server oses around? Or do you really want to claim that there are morons using Mac OS X Server editions to run CGI bash scripts from an Apache web server?
  Who actually is doing that? I never heard about a person using CGI _and_ a shell (what ever shell) ... regardless of the current security hole I can tell you a few dozen more.
  Running shell scripts by a web server as CGI scripts is simply retarded, regardless what flaws the shell might have.
  So picking on Apple because a fix is a day later than the hot debian or ubuntu distro is just brain dead.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
3. Re:The patch is irrelevant by bhiestand · 2014-10-13 15:36 · Score: 1
  
  So what is your point? That there are still 'Mac OS X' server oses around? Or do you really want to claim that there are morons using Mac OS X Server editions to run CGI bash scripts from an Apache web server?
  What's YOUR point? Yes, there ARE OS X servers running publicly accessible, vulnerable software. I am not only claiming it but stating I personally know this to be true. And no, I'm sure as hell not going to name names or give you more details than that.
  
  Running shell scripts by a web server as CGI scripts is simply retarded, regardless what flaws the shell might have.
  I already said the developers (and companies still using OS X Server) were being stupid. That is irrelevant.
  
  So picking on Apple because a fix is a day later than the hot debian or ubuntu distro is just brain dead.
  Apple was too slow. Being days late matters. This isn't kindergarten, and nobody is "picking on Apple". We do need to be honest and critical. And anyone with half a brain should interpret this as one more piece of evidence that Apple is lackadaisical about servers.
  
  --
  SWM seeks new sig for a brief fling
ridiculous by bussdriver · 2014-09-30 18:20 · Score: 1

Billions of lines of code for decades and some security holes make you think that you have PROOF open source does not work? Foolish.
The discovery of this is proof that many eyes DO find problems--- Apple could have done it themselves and it could have gone forever not being discovered. Apple has hardly ANY code that old and don't think that newer code is somehow automatically better than old code.
How can you possibly think that something that wasn't noticed by all those people for decades is somehow the fault of all those people NOT seeing it for two decades?
Furthermore, this was a feature it wasn't entirely a security bug so it wasn't going completely unnoticed - people knew about the thing and some scripts are going to break that depended upon it when it has been completely fixed. With more people aware of this new attack vector, bash is going to get more attention--- MORE eyes again.

--
Democracy Now! - uncensored, anti-establishment news
1. Re:ridiculous by BasilBrush · 2014-10-01 09:21 · Score: 1
  
  The discovery of this is proof that many eyes DO find problems
  No it isn't. The chance that these two vulnerabilities that hung round for 1-2 decades are the only ones is vanishingly small. They are an illustration that even the most mainstream of OSS code that's been around a long time hasn't been code reviewed properly.
  They are proof that that many uncoordinated and unrewarded eyes DON'T find problems. Because they don't even look.
  
  Furthermore, this was a feature it wasn't entirely a security bug
  Bullshit. The vulnerability it deminstrates has been demonstrated, it is not documented, and it doesn't make any sense that that's what it does. That's not a feature.
  The possibility that some people are using it in software doesn't make it a feature either. The very definition of hacking is using technology in a way that is not intended. That's what those programs are doing. Indeed malware is software that deliberately uses vulnerabilities, and that doesn't make those vulnerabilities features.
  
  With more people aware of this new attack vector, bash is going to get more attention--- MORE eyes again.
  AFTER 20 years. Having to scramble to fix something 2 decades late is not in any way an endorsement of a development practice. It's a condemnation of it. And in any case it's no different from what commercial closed source software teams would do it they similarly found out they'd been negligent with a particular code base for 20 years.
  "More eyes" is a myth. You have to be a blind zealot to still believe it.
Re:Exploit that only affects Mac and Linux by Wootery · 2014-09-30 23:06 · Score: 1
But:
- 1) This is a very high-profile vulnerability; the kind managers ask questions about, and the kind that can get a company bad PR
- 2) A Bash update should have good compatibility (though I agree that a sysadmin might still be nervous)
- 3) Part of a sysadmin's job is to cope with the borkingness of this stuff. Don't just blindly update your (say) web-facing servers; try it out first.