Security researchers recently uncovered a bug in Bash, a core shell tool used in Linux and Unix computers for the last couple of decades. OS X is built on Unix, so concern arose about the Mac’s vulnerability to hackers exploiting Bash to remotely run code without the user’s consent.
Dubbed “Shellshock,” the exploit has been compared to the Heartbleed hack from earlier this year. Apple has quelled everyone’s fears by saying that the “vast majority of OS X users” are not vulnerable to Shellshock.
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
So if you don’t even have an idea of what “advanced UNIX services” are, you’re safe. And users advanced enough to know have likely already taken precautions to protect their Macs.
In case you’re still worried, it’s easy to check if your Mac is vulnerable to Shellshock by pasting the following command into Terminal:
env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
If you’re not vulnerable, you’ll get the following back:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x’ hello
Mavericks is the latest version of OS X that’s susceptible, so those of you already running Yosemite are safe.
Alex Heath is a journalist who works for Tech Insider. He’s the former co-host of The CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like “ICONIC: A Photographic Tribute to Apple Innovation.” He lives in Lexington, Kentucky. If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Follow him on Twitter.
35 responses to “Apple: ‘Vast majority of OS X users’ need not worry about Shellshock exploit”
how can the vast majority of Apple users be safe, knowing that only Yosemite is safe! I just tried on my Mavericks and the command returns “vulnerable”. WTF?
Because the “vast majority” don’t expose themselves on the Internet? Just because you have the vulnerable version doesn’t mean it can be exploited. That said, Apple should fix it.
Did you actually try the line you suggest before posting it?
Doesn’t work because of the stylized quotes… FYI, it needs straight single quotes.
As in env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
Thanks for this Emile – mine returns vulnerable hello.
I assume this is because I have installed xcode or similar for class projects.
Is there anyway I can now revert to not using these advanced unix services? and receive the safe line back? Anyone know?
No, you would have to manually update Bash to get the safe line. The only other way your Mac will be “safe” is if you are running Yosemite. Apple won’t wait too long to update Mavericks, though.
Wow, dude…maybe a more appropriate photo for the story?
Yeah I think maybe a different photo might be more appropriate?
Apple needs to be more specific about what “advanced UNIX services”are those. Just as an example, Desktop Server, a little app that helps making a local WordPress site, automatically installs and run Apache web server, MySQL and PHP in your machine. What are those services, Apple?
Yes because the “vast majority” is going do install that. smh
How do you know how much apps install “advanced UNIX services”? How many web devs use a Mac? If we don’t know what services are those, we can’t state anything. Apple needs to disclosure the info and patch the vulnerability.
Shellshock It is basically a local vulnerability. If you really know how the it works, you won’t be asking this. And if you don’t, then you’d never need to worry about it.
First, Crackers can NOT just type a few keys on their computer to screw up you computer. No. They can’t do that so easily. They need to execute the attacking scripts LOCALLY on your computer so that it may take effect. Which means, they can attack one computer ONLY after they gain access to the computer, be able to upload files on to the computer, and have been authorised to execute commands. For most personal users, whenever crackers can do this, they’re probably standing in front of your computer, using your keyboard and mouse.
However, computers used for public service are prone to this vulnerability. For example, a lab computers which users have restricted access rights, a file server that provides SCP/SSH login interface such as Github, or a rental web server host that allows you to execute CGI-BIN. If you have maintaining servers for these type of service, than you should patch this ASAP. Otherwise, there is no need to panic.
If you don’y understand what I’m talking about, you’d never need to worry about this vulnerability.
Mr Richard Liu, thanks for the answer. As stated in these commentaries, “is ignorance a bliss’? And maybe a simple app (Desktop Server) will install and run “Apache, MySQL and PHP” on your machine.
I always assume that a ordinary Mac user is a power user (compared to Windows users), so it’s not so common people using various “advanced” apps and services on their Macs, since the easy nature of it’s OS allows it without deep knowledge in coding, etc.
I do have personal VPS (virtual private servers) running Ubuntu with fairly complex setups (NginX and Varnish with a php app).
While those server are safe now (ubuntu released a patch), OSX don’t. And I don’t have any info about how to make it safe, unless I use Xcode to build a newer version of Bash.
Cracker will just mass search for machines with the vulnerability, and it doesn’t matter what OS or role – desktop or server – as long it’s online. The machine and the resources are there for then to try to take.
PS- I think the “official” shellshock vulnerability are those:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271, and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.
Since you have already know what VPS is, there is no need explaining to you why simply setup Apache, MySQL and PHP will NOT make you prone to this vulnerability automatically. If you still think any online computer would be in risk, you don’t understand how this vulnerability works.
Shellshock is NOT some security exploits that crackers can utilise to crack into any anonymous computers over Internet. You have to setup the right environment so that if may take effect. For Shellshock, the required environment is Apache + mod_cgi + any BASH script based CGI web pages. Your PHP environment is immune to this.
Vast majority of users, even including those “power users” who knows how to coding, don’t even understand what we’re talking about. Developing web applications and maintaining server are completely two different professions.
This site has detailed explanations about how this vulnerability works and how the attackers can use it against web servers:
https://community.qualys.com/blogs/securitylabs/2014/09/25/shellshock-is-your-webserver-under-attack
https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/09/24/bash-shellshock-vulnerability
I still think Apple should make its role and make more info available. The role to understand the info released is mine, I’ll research it. As a computer and UNIX maker, it’s Apple role. Cheers.
Apple also included PHP inside OS X. Is Apple under any obligation to teach users that they should call sql_escape_string() to prevent SQL injection attack ?
Information is free, knowledge is not. Information about Shellshock was published on professional forums and, unfortunately, mass media, since day zero, but only rare people can understand what it means. It’s user’s role to strengthen their expertise so that they can estimate the level of risk, especially when they’re making a living using their knowledge.
Finally http://thenextweb.com/apple/2014/09/29/apple-releases-bash-update-lion-mavericks/
I’m on the newest Yosemite public beta and your terminal trick says I’m vulnerable too.
Same here
Alex, I find the choice of photograph accompanying this article to be in rather poor taste.
I’m on updated Yosemite and indicates I’m “vulnerable”.
I am, I suppose, an “advanced Unix user”.
I haven’t the foggiest idea what you mean by “advanced UNIX services”.
Also, as others have noted, the sample test doesn’t work — partly because of the ‘curly quotes’, partly because the Javascript on this site adds the stupid “for more, go to http://…” garbage to the clipboard text.
But, like everyone else that has actually tried it, the test says that my shell is vulnerable to attack.
I strongly suspect that what Apple’s really saying here is that ALL Macs ARE affected by this bug, but that because MOST Mac users do not use the command line, they are unlikely to encounter a situation where the problem would arise — or at least, they won’t encounter it until exploits start floating around that embed malicious shell code inside something else, which is really only a matter of time.
Really, it’s a bit like saying “yes, there’s a black widow spider in your basement, but most people rarely if ever go down to the basement, so it’s not a problem.” The obvious problems being (a) some people certainly do go down to the metaphorical basement, and (b) sometimes the metaphorical venomous beast will find its way upstairs. The metaphorical basement is there, whether or not you personally use it, and the beast down there can’t simply be wished away. The threat has to be eliminated, and as soon as possible.
Could you maybe get someone that understands Unix to do a rewrite of the article?
You don’t understand. BASH is there, even if you’d never heard about Terminal.app. However, most user are NOT affected because they don’t use their computers as servers or public workstations. AND if someone do use their computer for such service, they will have enough knowledge to understand how it works and how to mitigate the effect.
If you really know how the it works, you won’t be asking this. And if you don’t, then you’d never need to worry about it. It’s quite simple.
-bash: syntax error near unexpected token `(‘
“So if you don’t even have an idea of what “advanced UNIX services” are, you’re safe.”
Ignorance is bliss?
No. You’ll get yourself in risky situation ONLY after you have enough knowledge to utilise these advanced services.
Setting advanced service is NOT like driving a car. You can never invoke such services accidentally. You must know what you’re doing so that they’ll be functional. And when you’re capable to do this, you’ll understand what this vulnerability is about. And if you don’t, then you’d never need to worry about it.
If you want to learn more about it, you may start with gcc, make and vi. And than you may try to setup Apache and mod-cgi from source code. It took me one month to setup my first server from ground zero, following step-by-step instructions, and twenty years working as computer engineer to keep expertise in this field.
It’s a quote from the article.
And it’s a response to your “Ignorance is bliss” quote.
Knowledge is expensive; skepticism is much cheaper.
I have my new Macbook Pro since yesterday evening, replaced iMac, so no advanced stuffs are configured in Unix services, still returns with Vulnerable!
As stated in the article, it will only not return vulnerable if you’re running Yosemite (you can also update Bash manually through Terminal to fix it). You’re vulnerable, but you won’t be affected by it because those services being enabled are required for someone to get in.
Yeah I’m getting a “vulnerable” too and I have no idea why, as I’ve never touched UNIX to my knowledge, and certainly not on this machine (which is only 2 weeks old).
I’m not sure whether I should be worried or what.
Why is this so hard to understand? You don’t have to have touched it to be vulnerable. Unless you’re running Yosemite or have updated Bash manually, you’re vulnerable. Not using “advanced Unix services” means the vulnerability doesn’t really matter to you.
So my brand new MBP that has nothing on it but the included apps and MS Office for MAC and nothing else also comes up as vulnerable. Regardless of whether or not this is a real security risk or not its still makes MACs vulnerable and once again apple takes the no need to worry approach instead of actually doing something.
Ya know what else would be helpful? If we could copy stuff to the clipboard without some bullshit extra text being added about “To read more about this, click here” or somesuch.
I get
-bash: syntax error near unexpected token `(‘
as a result.
What does that mean? Am I susceptible?