2014.09.25: Shell Shock Vulnerability Advisory

10/2/2014 Update: Apple has released patches for Shellshock for Yosemite (10.9), Mountain Lion (10.8), and Lion (10.7).

  • Yosemite (10.9): http://support.apple.com/kb/DL1769
  • Mountain Lion (10.8): http://support.apple.com/kb/DL1768
  • Lion (10.7): http://support.apple.com/kb/DL1767

Earlier today IT learned about a new vulnerability called Shell Shock.  This affects an environment called Bash that is commonly used in Unix-based computers and devices, which include Apple Macintosh computers.  We are posting all information that we know about Shell Shock here as we learn more about it.

If you are on a Macintosh computer you can run the following command in Terminal to determine whether or not your computer is vulnerable:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If your computer responds with 'vulnerable' then you are, in fact, vulnerable.  We have heard reports that some of the latest development builds of OS X 10.10 are not vulnerable but we have yet to independently verify that.

To patch Shell Shock in CentOS, Ubuntu, and other Linux distributions this article may be helpful:

http://www.linuxnews.pro/patch-bash-shell-shock-centos-ubuntu/

A manual patch for OS X is possible, and is outlined here:

http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/

From '9 to 5 Mac'

http://9to5mac.com/2014/09/25/mac-vulnerability/

A vulnerability in Bash, the software used to control the command shell in many flavors of Unix, has been shown to be present in OS X – with some security researchers saying that the flaw could pose a bigger threat than the Heartbleed vulnerabilty discovered last year.

From Symantec

http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability

Computers running Mac OS X are also potentially vulnerable until Apple releases a patch for the vulnerability. Again, attackers would need to find a way to pass malformed commands to Bash on the targeted Mac. 

Have more questions? Submit a request

Comments

Please sign in to leave a comment.