On September 24, 2014, a security vulnerability was publicly announced that affects a large percentage of Internet connected devices. This vulnerability, known as Shellshock, affects the Unix command shell Bash. Bash, the bourne again shell, is one of the most common applications on Unix based systems. Many devices running Mac OS X or Linux are affected by this serious exploit.
It is important to understand that this vulnerability could allow unauthorized access of your computer. Although this exploit has been around for over two decades do not underestimate the seriousness, immediate patching should be deployed when possible.
Patch
OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks
released: September 29th, 2014
Future
So if you install the patch you might think, “Great I’m done”, crisis adverted. False! Since the original Shellshock exploit (CVE-2014-6271) at least four additional exploits have been found. If you would like to test your Mac to see if you are vulnerable you can use the following script to help identify exploits that you are susceptible to.
Additional bugs related to Shellshock:
- CVE-2014-6271 (original shellshock)
- CVE-2014-7169 (taviso bug)
- CVE-2014-7186 (redir_stack bug)
- CVE-2014-7187 (nested loops off by one)
- CVE-2014-6277 (lcamtuf bug)
You can use the following website if you would like to see the official reports here.
At this point, the worst might be behind us. Pay attention to Apple updates, as future issues are reported, another patch for Bash will be most likely be released by Apple.
Articles:
Apple Stack Exchange,
Apple working to protect OS X against shellshock,
Bash fix not in SUS,
Github bashcheck script,
Remote exploit vulnerability in bash,
What is Shellshock,