Apple Fixes Shellshock In OS X

← Back to Stories (view on slashdot.org)

Apple Fixes Shellshock In OS X

Posted by timothy on Tuesday September 30, 2014 @12:42AM from the that's-mac-os-x-to-you-buddy dept.

jones_supa (887896) writes Apple has released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the "Shellshock" bug in the Bash shell. Bash, which is the default shell for many Linux-based operating systems, has been updated two times to fix the bug, and many Linux distributions have already issued updates to their users. When installed on an OS X Mavericks system, the patch upgrades the Bash shell from version 3.2.51 to version 3.2.53. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on the system first. An Apple representative told Ars Technica that OS X Yosemite, the upcoming version of OS X, will receive the patch later.

7 of 174 comments (clear)

Min score:

Reason:

Sort:

Why isn't this auto-update? by Anonymous Coward · 2014-09-30 00:47 · Score: 5, Informative

I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?
1. Re:Why isn't this auto-update? by kybred · 2014-09-30 00:54 · Score: 4, Informative
  
  I downloaded and installed this update. It updates bash to version 3.2.53(1), but a patch to version 3.2.54(1) is available on gnu.org. I'm guessing that there will be more updates since additional issues with the parsing in bash have been (are being) found.
2. Re:Why isn't this auto-update? by tlhIngan · 2014-09-30 03:29 · Score: 5, Insightful
  
  I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?
  Because of many reasons.
  First off, the patch isn't complete. Sure there was a patch last week, but did you know it didn't fix the problem? Yes, it fixed the obvious error, but there were still more (and new CVE was opened for Shellshock). Bash devs are still finding more holes related to this issue, and it goes down a deep rabbit hole. This hole may never be full patched for a long time.
  Second, there aren't many OS X systems that are exploitable. Remote exploits require a server to take parameters, format them as environment variables and then call the shell (usually through system()). HTTP and CGI scripts are a common vector because that's exactly how they work. Most webservers out there run Linux and there really isn't a special reason to run OS X + httpd + CGI over running it on Linux especially on a public server. So for the scant few servers, those admins can update the shell.
  And on OS X, the webserver is disabled by default and most users won't know how to turn it on. I don't think even OS X server has it on by default - given the server is really just a bunch of admin tools nowadays.
  Third, well, I don't think many OS X apps actually bother using a call like system() to perform a task - there's probably a native Cocoa API that is supposed to be used instead.
  So it's more of a hotpatch for those few machines that are potentially vulnerable. In fact, the patch that was provided last week wasn't fixing the issue, more working around the issue so it's harder to exploit (i.e., instead of an arbitrary variable containing a function, it has to be prefixed with _BASH_FUNC_ in order to be allowed as a definition).
  There is currently no root-cause fix for the issue - it's actively being worked on by Bash developers and others. This isn't like heartbleed where the mistake was a little programming oversight - it's a full on design issue that dates back 20+ years. There are probably going to be dozens of patches to fix the issue in the end.
Re:I have an idea by Anonymous Coward · 2014-09-30 01:05 · Score: 5, Funny

How about releasing a version of bash that has function passing disabled. That would be safer and we can find out what breaks.
If only bash were open source, one could do this themselves instead of hoping others might do it for them.
Re:Exploit that only affects Mac and Linux by nuonguy · 2014-09-30 01:18 · Score: 5, Insightful

At least it's still news when we learn about Mac and Linux vulnerabilities. :-)
Re:that was fast by zerosomething · 2014-09-30 01:19 · Score: 4, Interesting

Unfortunately Apple knows very few actually run OS X server and Apache through it so the possible compromised systems, in their eyes, was very small. i.e. not a big deal to get this out fast. What they don't realize is that a large number of institutions actually use their server product to manage all the Macs in the institution. If the servers were compromised then all the clients would then be at risk. Think instant Mac bot net! Fortunately this is open source software and you can patch it your self but most Mac servers are run by people that don't know how to do that. Sigh...

--
It all starts at 0
AWWWW SHEET, I think I've been HACK#ED! by Thud457 · 2014-09-30 03:54 · Score: 4, Funny

Where's this #%)&@@^ U2 album come from?!
I never asked for this...

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff