Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Fixes Shellshock In OS X

Posted by timothy on from the that's-mac-os-x-to-you-buddy dept.

jones_supa (887896) writes Apple has released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the "Shellshock" bug in the Bash shell. Bash, which is the default shell for many Linux-based operating systems, has been updated two times to fix the bug, and many Linux distributions have already issued updates to their users. When installed on an OS X Mavericks system, the patch upgrades the Bash shell from version 3.2.51 to version 3.2.53. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on the system first. An Apple representative told Ars Technica that OS X Yosemite, the upcoming version of OS X, will receive the patch later.

21 of 174 comments (clear)

  1. Why isn't this auto-update? by Anonymous Coward · · Score: 5, Informative

    I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?

    1. Re:Why isn't this auto-update? by kybred · · Score: 4, Informative

      I downloaded and installed this update. It updates bash to version 3.2.53(1), but a patch to version 3.2.54(1) is available on gnu.org. I'm guessing that there will be more updates since additional issues with the parsing in bash have been (are being) found.

    2. Re:Why isn't this auto-update? by jythie · · Score: 2

      It depends on what the malfunctioning patch does to the systems.

      Since macs are rarely used as servers the number out there is probably going to be pretty small, so that has to be factored in as well.

    3. Re:Why isn't this auto-update? by tlhIngan · · Score: 5, Insightful

      I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?

      Because of many reasons.

      First off, the patch isn't complete. Sure there was a patch last week, but did you know it didn't fix the problem? Yes, it fixed the obvious error, but there were still more (and new CVE was opened for Shellshock). Bash devs are still finding more holes related to this issue, and it goes down a deep rabbit hole. This hole may never be full patched for a long time.

      Second, there aren't many OS X systems that are exploitable. Remote exploits require a server to take parameters, format them as environment variables and then call the shell (usually through system()). HTTP and CGI scripts are a common vector because that's exactly how they work. Most webservers out there run Linux and there really isn't a special reason to run OS X + httpd + CGI over running it on Linux especially on a public server. So for the scant few servers, those admins can update the shell.

      And on OS X, the webserver is disabled by default and most users won't know how to turn it on. I don't think even OS X server has it on by default - given the server is really just a bunch of admin tools nowadays.

      Third, well, I don't think many OS X apps actually bother using a call like system() to perform a task - there's probably a native Cocoa API that is supposed to be used instead.

      So it's more of a hotpatch for those few machines that are potentially vulnerable. In fact, the patch that was provided last week wasn't fixing the issue, more working around the issue so it's harder to exploit (i.e., instead of an arbitrary variable containing a function, it has to be prefixed with _BASH_FUNC_ in order to be allowed as a definition).

      There is currently no root-cause fix for the issue - it's actively being worked on by Bash developers and others. This isn't like heartbleed where the mistake was a little programming oversight - it's a full on design issue that dates back 20+ years. There are probably going to be dozens of patches to fix the issue in the end.

    4. Re: Why isn't this auto-update? by smash · · Score: 2

      The majority of which do not apply to OS X and only linux, because OS X isn't held together with shell scripts and duct tape.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    5. Re: Why isn't this auto-update? by Anonymous Coward · · Score: 2, Informative

      Why not?

      http://opensource.apple.com

    6. Re: Why isn't this auto-update? by BasilBrush · · Score: 2

      That's not a "dirty secret". Having a single component that launches all daemons is a laudable improvement over the adhoc, multiple methods that had grown up in Unix like OSs.

      Linux has political problems between Linus and the systemd team, and systemd may be overreaching. None of which is relevant to OSXs entirely different component launchd.

      And if anyone thinks there's any copying going on here, take note of the direction - OSX launchd dates back to 2005. Linux systemd to 2010.

    7. Re: Why isn't this auto-update? by unixisc · · Score: 2

      Yeah, but since GPL3, Apple doesn't touch GPL code w/ a bargepole - GCC and Samba have both been shown the door. Which is why it's surprising that Apple uses bash, when they have the source code to a lot of closed shells, courtesy their ownership of both NEXTSTEP and in ancient times, A/UX

    8. Re: Why isn't this auto-update? by kybred · · Score: 2

      Bash 3.2 is still under the GPL v2.

  2. Re:I have an idea by Anonymous Coward · · Score: 5, Funny

    How about releasing a version of bash that has function passing disabled. That would be safer and we can find out what breaks.

    If only bash were open source, one could do this themselves instead of hoping others might do it for them.

  3. Re:Exploit that only affects Mac and Linux by nuonguy · · Score: 5, Insightful

    At least it's still news when we learn about Mac and Linux vulnerabilities. :-)

  4. Re:that was fast by zerosomething · · Score: 4, Interesting

    Unfortunately Apple knows very few actually run OS X server and Apache through it so the possible compromised systems, in their eyes, was very small. i.e. not a big deal to get this out fast. What they don't realize is that a large number of institutions actually use their server product to manage all the Macs in the institution. If the servers were compromised then all the clients would then be at risk. Think instant Mac bot net! Fortunately this is open source software and you can patch it your self but most Mac servers are run by people that don't know how to do that. Sigh...

    --
    It all starts at 0
  5. Re:that was fast by Bing+Tsher+E · · Score: 3, Funny

    Mac servers? You mean that SE/30 running the Pokeytalk network, with the Laserwriter attached to it?

  6. Re:I have an idea by Anonymous Coward · · Score: 3, Interesting

    Hey, not me. I'm expecting the open source community to do it for me for no cost, while I sip mojitos.

  7. Re:Exploit that only affects Mac and Linux by Wootery · · Score: 3, Insightful

    It's a ticking time bomb, and this is likely just the blasting cap going off.

    So you're expecting an 'explosion' even worse than Shellshock and co?

    I doubt it. Bash will be hammered on, and will be made more secure, in the coming weeks.

  8. No sensible person ever though it was impossible by daveschroeder · · Score: 2, Informative

    But even here, again, when you look at a typical OS X desktop system, now many people:

    1. Have apache enabled AND exposed to the public internet (i.e., not behind a NAT router, firewall, etc)?

    2. Even have apache or any other services enabled at all?

    ...both of which would be required for this exploit. The answer? Vanishingly small to be almost zero.

    So, in the context of OS X, it's yet another theoretical exploit; "theoretical" in the sense that it effects essentially zero conventional OS X desktop users. Could there have been a worm or other attack vector which then exploited the bash vulnerability on OS X? Sure, I suppose. But there wasn't, and it's a moot point since a patch is now available within days of the disclosure.

    And people running OS X as web servers exposed to the public internet, with the demise of the standalone Mac OS X Server products as of 10.6, is almost a thing of yesteryear itself.

    Nothing has changed since that era: all OSes have always been vulnerable to attacks, both via local and remote by various means, and there have been any number of vulnerabilities that have only impacted UN*X systems, Linux and OS X included, and not Windows, over very many years. So yeah, nothing has changed, and OS X (and iOS) is still a very secure OS, by any definition or viewpoint of the definition of "secure", when viewed alongside Windows (and Android).

  9. Bashed. by westlake · · Score: 3, Insightful

    At least it's still news when we learn about Mac and Linux vulnerabilities. :-)

    This is Bash, remember.

    Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves.

    Bash (Unix shell)

    The beta was released in 1989. 25 years ago.

    Which makes a perfect farce of the notion that many eyes make all bugs shallow.

  10. AWWWW SHEET, I think I've been HACK#ED! by Thud457 · · Score: 4, Funny

    Where's this #%)&@@^ U2 album come from?!
    I never asked for this...

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  11. Re:that was fast by smash · · Score: 2

    Apple are likely more concerned with breaking apps that may depend on certain behaviour and actually QA testing their shit before putting it out to 100 million users or so and dealing with the fall out from "it just works" breaking. Linux is an entirely different kettle of fish, where breaking people's shit because you don't like company X or you have an ideology conflict is "acceptable".

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  12. Re:I have an idea by hweimer · · Score: 2

    Unless of course the malefactors know this and stick BASH_FUNC_ in front of their exploit strings.

    This won't work because an attacker will only be able to manipulate the content of some environment variable, but not its name. And being able to manipulate arbitrary environment variables has always been equivalent to being able to execute arbitrary code. Think LD_PRELOAD or IFS, for example.

    --
    OS Reviews: Free and Open Source Software
  13. Re:Mac's don't get viruses. . . by unimacs · · Score: 2

    Your first source sites a report from Trend Micro that barely mentions OS X. It shows a chart with the number of vulnerabilities by vendor but it doesn't make any effort to characterize the severity of the vulnerabilities or the likelihood of being affected by them.

    Your second source is not a study or report at all but the opinion of a guy selling security software. I'm not saying his opinion isn't worth anything, only that he stands to gain by scaring OS X users into buying his software. And just as an aside, I wouldn't be surprised if more systems have been compromised in some way by anti-virus software than any single virus.

    I'm sorry but I don't think comparing MS to RedHat is valid. They have a much different user base. The report you listed in your original post went as far as to say that MS was mostly patching client vulnerabilities (in browsers and such) that potentially affect huge numbers of systems many of which are operated by people who are less knowledgeable and more vulnerable to things like trojans. In those cases I agree you need to move quickly.

    Something like Shellshock might potentially affect something like 2% of all Macs, (if not less) while a patch affects are large percentage of them. You'd better make sure you don't screw up something in that patch. The majority of Mac users are not like linux users who can easily recover from a bad patch.