Apple Fixes Shellshock In OS X

jones_supa (887896) writes Apple has released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the "Shellshock" bug in the Bash shell. Bash, which is the default shell for many Linux-based operating systems, has been updated two times to fix the bug, and many Linux distributions have already issued updates to their users. When installed on an OS X Mavericks system, the patch upgrades the Bash shell from version 3.2.51 to version 3.2.53. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on the system first. An Apple representative told Ars Technica that OS X Yosemite, the upcoming version of OS X, will receive the patch later.

Why isn't this auto-update?

I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?

Re:Why isn't this auto-update?

[kybred]

I downloaded and installed this update. It updates bash to version 3.2.53(1), but a patch to version 3.2.54(1) is available on gnu.org. I'm guessing that there will be more updates since additional issues with the parsing in bash have been (are being) found.

Re:Why isn't this auto-update?

[tlhIngan]

I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?

Because of many reasons.

First off, the patch isn't complete. Sure there was a patch last week, but did you know it didn't fix the problem? Yes, it fixed the obvious error, but there were still more (and new CVE was opened for Shellshock). Bash devs are still finding more holes related to this issue, and it goes down a deep rabbit hole. This hole may never be full patched for a long time.

Second, there aren't many OS X systems that are exploitable. Remote exploits require a server to take parameters, format them as environment variables and then call the shell (usually through system()). HTTP and CGI scripts are a common vector because that's exactly how they work. Most webservers out there run Linux and there really isn't a special reason to run OS X + httpd + CGI over running it on Linux especially on a public server. So for the scant few servers, those admins can update the shell.

And on OS X, the webserver is disabled by default and most users won't know how to turn it on. I don't think even OS X server has it on by default - given the server is really just a bunch of admin tools nowadays.

Third, well, I don't think many OS X apps actually bother using a call like system() to perform a task - there's probably a native Cocoa API that is supposed to be used instead.

So it's more of a hotpatch for those few machines that are potentially vulnerable. In fact, the patch that was provided last week wasn't fixing the issue, more working around the issue so it's harder to exploit (i.e., instead of an arbitrary variable containing a function, it has to be prefixed with _BASH_FUNC_ in order to be allowed as a definition).

There is currently no root-cause fix for the issue - it's actively being worked on by Bash developers and others. This isn't like heartbleed where the mistake was a little programming oversight - it's a full on design issue that dates back 20+ years. There are probably going to be dozens of patches to fix the issue in the end.

Re:I have an idea

How about releasing a version of bash that has function passing disabled. That would be safer and we can find out what breaks.

If only bash were open source, one could do this themselves instead of hoping others might do it for them.

Re:Exploit that only affects Mac and Linux

[nuonguy]

At least it's still news when we learn about Mac and Linux vulnerabilities. :-)

Re:that was fast

[zerosomething]

Unfortunately Apple knows very few actually run OS X server and Apache through it so the possible compromised systems, in their eyes, was very small. i.e. not a big deal to get this out fast. What they don't realize is that a large number of institutions actually use their server product to manage all the Macs in the institution. If the servers were compromised then all the clients would then be at risk. Think instant Mac bot net! Fortunately this is open source software and you can patch it your self but most Mac servers are run by people that don't know how to do that. Sigh...

Re:that was fast

[Bing+Tsher+E]

Mac servers? You mean that SE/30 running the Pokeytalk network, with the Laserwriter attached to it?

Re:I have an idea

Hey, not me. I'm expecting the open source community to do it for me for no cost, while I sip mojitos.

Re:Exploit that only affects Mac and Linux

[Wootery]

It's a ticking time bomb, and this is likely just the blasting cap going off.

So you're expecting an 'explosion' even worse than Shellshock and co?

I doubt it. Bash will be hammered on, and will be made more secure, in the coming weeks.

Bashed.

[westlake]

At least it's still news when we learn about Mac and Linux vulnerabilities. :-)

This is Bash, remember.

Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves.

Bash (Unix shell)

The beta was released in 1989. 25 years ago.

Which makes a perfect farce of the notion that many eyes make all bugs shallow.

AWWWW SHEET, I think I've been HACK#ED!

[Thud457]

Where's this #%)&@@^ U2 album come from?!
I never asked for this...