Have just read in the NYT and CNET about the Bash or Shellshock bug, a new security vulnerability which could affect hardware running Mac OS X.
Anybody know about this and is there anything to be done?
iMac (21.5-inch Mid 2011), Mac OS X (10.7.5), using a router (desktop and tablet)
Yep, the latest scare story. If something needs to be done no doubt Apple will issue a patch.
That next post hung and thought it didn't go through.
So wait for a notice of an update (I don't know about patch process)?
V.A.P. wrote:
So wait for a notice of an update (I don't know about patch process)?
Exactly! 🙂
If Apples routers run Linux, they're vulnerable too.
More info on the bug here: http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-h ole-on-anything-with-nix-in-it/
Thanks, Klaus1!
I have applied this patch to my macbook:
http://nkush.blogspot.com/2014/09/patching-bash-shellshock-on-apple-max.html
I'm running Mac OS X 10.9.5 and I tested the code (in a friendly way) and its true, we are all vulnerable!
Open the Terminal application and type:
env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"
If the above command returns:
shellshock
completed
Means that the OS is vulnerable, no comments from Apple yet? I only have Mac OS on my notebooks, all servers here are Red Hat Enterprise Linux (Thanks GOD) and they are all already patched!
Thanks a great workaround, but what happens when Apple releases the fix? What will happen to the manual modification that you did? Will it be overwritten by Apples fix? or will Mac OS not be able to apply whatever comes from Apple? Messing with manual workarounds might lead to headaches in the future (specially if you keep upgrading OSes).
What do you think?
The truth is: yes you are technically vulnerable. But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.
So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.
Any word on this? Need to get this fixed right quick.
|
A somewhat technical evaluation of the situation: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Summary: It's a pretty big sea. Watch for update from Apple (Although the tech support person yesterday knew nothing about it, and blew me off saying it was a third party rumor.)
Is this something the average computer person can do?
Or just wait for Apple's fix? (Not sure what GNU is).
Thanks
Unless you are running OS 10.9.5 you are not affected.
Apple has promised an update for advanced Unix users (the only ones possible affected except those running OS 10.9.5):
http://www.imore.com/apple-working-quickly-protect-os-x-against-shellshock-explo it
Advanced users who have OS X machines in a situation where they may be remotely exploited, such as systems administrators with internet-facing OS X servers, can mitigate the issue by recompiling bash with the official patches from GNU until Apple issues its own update:
|
Bash or Shellshock bug
