I recently installed OS X Mavericks 10.9.5. Does this include the security update for Bash 1.0 and the built in XProtect malware definitions for the Mac.BackDoor.iWorm malware?
MacBook, OS X Mavericks (10.9.5)
1. No.
2. No, but updates to the XProtect definition file are automatic and quiet.
(114399)
No. Here is what is in each update, security-wise. http://support.apple.com/kb/HT1222
Xprotect is not updated by security updates. It has it's own, independent update mechanism.
BTW, you don't need the Bash update unless you are using your computer as a server. Otherwise, it does not affect you.
Not strictly true, or even mostly true. If you happen to be on a network with a hacked DHCP server, and that DHCP server happens to exploit the shell 'feature', then an attacker can execute essentially arbitrary shell code ...
Consider (for example) using DHCP at a hotel, coffee shop, or airport (for example). Your VPN won't help you, because this happens pre-VPN. You do always use a VPN at hotels and airports, don't you? So, fixing the hole is a good idea unless you never leave your home network. Oh, and check your router (remote administration should be off, for example, and be sure yours doesn't have a manufacturer provided backdoor). And, you do trust everybody on your network, don't you?
The moral of the story: If security matters to you, fix this. It's easy and doesn't even require a reboot. As was said before, just copy link and paste to your browser this URL: OS X bash Update 1.0 – OS X Mavericks (never click on URLs from people you don't know well, or even then.)
That would be interesting if you can explain how the DHCP server would then "hack" your Mac. It is merely providing an IP address to various locations on the web. Don't tell me you trust a public network to resolve DHCP lookups to secure sites that you conduct financial transactions upon.
The Bash update must be manually downloaded and manually installed. Apple is not pushing it through Software Update because it only applies to expert users who have certain advanced Unix services enabled. Normal users are not affected by the flaw.
Nonsense. Baloney. I’ll take Apple’s word on the subject over a first time, anonymous poster any day of the week. The same FUD was perpetrated during the Heartbleed scare.
And by the way, what has happened to the Bash issue anyway? When it was first announced as worse than the Heartbleed bug and the Internet Apocalypse du jour people got all jittery. Like Heartbleed this END OF THE INTERNET flaw has disappeared from the face of the earth. Seems only the alarmists and doomsayers care about it now, still trying to scare people.
This is all public information, easily verified with Google. C'mon people, if you're going to make snarky comments, at least do a little research!
Any program that can be tricked into passing an arbitrary string to execute in a bash shell (pretty much any shell, really, unless it is proved secure) presents a security hole. Bash is known not to be secure. Therefore, if you can pass an arbitrary string to bash, you have a security hole. This isn't hard to understand.
But, how can DHCP pass an arbitrary string to bash? The DHCP protocol works like this (simplified):
1. Client sends DHCP Discover
2. DHCP server sends DHCP Offer
3. Client sends DHCP Request
4. DHCP server sends DHCP ACK
The problem comes in step 4 (DHCP ACK). In addition to the many standard fields, a DHCP Server can send optional fields. One of these optional fields (number 114) requests setting remote variables and passes to the client machine arbitrary fields for those environmental variables. These environmental variables are then passed (unmodified) to a number of shell scripts (on Unix/BSD/Linux/OSX). These shell scripts are, in fact, bash scripts. This all probably seemed like a good idea when DHCP was designed, 20 odd years ago. It isn't.
So here is what happens:
During step 4 above, the (malicious) DHCP server sends (at least) one option 114 field to set certain environmental variables in the DHCP server. This was, in the past, expected and allowed behavior. It is what tells the DHCP server to remotely configure the network interface.
BUT, you have this scenario: Arbitrary input is being passed to bash, and neither the program passing the data nor bash itself adequately screen the input for form. Instead, arbitrary strings are allowed. These strings can contain a separator that tells bash, 'execute everything after me as a commend'. So, you can use these environmental variables to (remotely) execute code (see generally ShellShock). In nearly all systems (including OSX), these scripts are executed in the root environment (i.e. by the most privileged user id).
This is oversimplified, but it should give the general idea.
Is this only theory? No. A metsploit module has already been released that exploits this 'feature' of DHCP. And, metasploit can hijack the DHCP function without your machine noticing it. It's had this ability for years. Several billion (yes, billion) cases of attempted exploits have been tracked by several security firms, in the wild, on the internet. Nobody knows how many have succeeded, but a lot of machines are vulnerable.
But, you say, my DHCP server is the one given to me by my ISP ... and surely its safe, and anyway, it can't talk to my Mac directly. But, consider, the DHCP server for your (home) network very likely runs on your router, which probably is running Linux, so if it's been hacked, your Mac is indeed vulnerable. And, your home router gets its own tcp/ip address by using ... DHCP. And it faces the internet raw. Its firmware hasn't been updated (probably) in years, and it very possibly has an implementation of bash (or another shell script to handle 114 messages which is equally vulnerable), and if it does, then it is possibly vulnerable to the ShellShock exploit. Oh, and by the way, did I mention that it faces out into the mean, cruel internet?
Penultimately, is this all reason to panic? No. If you're concerned about security, click on the button on the Apple site that fixes it. There, that's not so hard, is it? You can fix your router's vulnerability too, but that's not what this thread is about. Why didn't Apple push this code fix harder? I have no clue--ask Apple.
And finally, perhaps people who don't have any clue what they're talking about should moderate their comments...
There isn't anything increadibly fascinating in your description (as it is just a regurgitation of the exploit), nor is there anything showing how the DHCP server compromises my Mac. My router doesn't run Linux.
As stated before, we should take Apple’s word over some anonymous poster who CLAIMS to know what they are talking about. My advice is to ignore this individual and listen to what Apple says. And Apple says you do NOT need the patch unless you have enabled the affected Unix services. This guy is spouting pure FUD.
Although all you have said about DHCP servers is true, or at least close, I have spoken with one DHCP expert who tried, but was unable to exploit an infected DHCP server to directly impact his Mac, other than the obvious ability to redirect URL requests. Updating bash in OS X would no help with such things.
This is my last reply, promise. It's not worth continuing this...
First, I specifically said, in the first post, that the danger came NOT from your own router, but from being in some other environment. Like a WiFi hotspot.
Second, of course it sounds like regurgitation of the exploit. That's what it is ... a simplified description of the exploit. For a more complicated one, check any good security website. See if those sites agree with lkrupp and madmacs0 ... and, as to the 'DHCP expert', there is no such type of expert. Think about it. Download metasploit, try it against your mac, and see what happens. Learn to make your own decisions.
Second, of course it sounds like regurgitation of the exploit. That's what it is ... a simplified description of the exploit.
We all know how the exploit works. Nothing exciting there.
Now take the next step. You've compromised my DHCP server. No what can you do?
That's what I'm asking.
This is my last reply, promise. It's not worth continuing this...
I imagine you can't explain the next step, that's why it will be your last reply.
RavenPhil wrote:
First, I specifically said, in the first post, that the danger came NOT from your own router, but from being in some other environment. Like a WiFi hotspot.
And I didn't say it was a router, in fact he used a stand-alone DHCP router that had this well known vulnerability and attempted to use it as a vector to exploit any of the currently known OS X bash vulnerabilities.
Download metasploit, try it against your mac, and see what happens.
I'd be happy to when they release an OS X version, in the meanwhile I'll continue to use Nessus. Note that Rapid7 is the only one quoted as saying that OS X is still open to exploit after the Apple Patch.
Apple deal with facts only. When they are presented with an actual threat, including a POC exploit, they have always acted swiftly to protect their users. I correspond with Apple Product Security regularly when I believe I have found evidence of such things. Most of the time they take a look and respond with appropriate action. I've only had them tell me once that it wasn't a security concern and their explanation and a bit more research on my part convinced me they were correct. I feel confident that when anybody can demonstrate an actual threat that they will act appropriately.
RavenPhil wrote:
This is my last reply, promise. It's not worth continuing this...
Why? Because we didn’t blindly accept your anonymous opinion as fact? Because you were called out for inconsistencies? Because you cannot back up your claims?
Security Updates Included in Mavericks 10.9.5
