Author Topic: Bash bug (Read 4415 times)

Paddy · « **on:** September 24, 2014, 09:40:31 PM »

Great...just what we need.

http://arstechnica.com/security/2014/09/bu...-it/?comments=1

So far, nothing from Apple and I ran the command to test my system and as expected, it's vulnerable. However, that's assuming someone can get into my system, and that part of the equation is not fully explained in any of the articles I've read so far.

kimmer · « **Reply #1 on:** September 24, 2014, 10:25:06 PM »

QUOTE(Paddy @ Sep 24 2014, 07:40 PM) <{POST_SNAPBACK}>

So far, nothing from Apple and I ran the command to test my system and as expected, it's vulnerable.

Same here. Hope Apple isn't too busy fixing iOS 8.0.1 to fix this.

Jack W · « **Reply #2 on:** September 25, 2014, 07:56:03 AM »

What's a Bash bug?

And what OS X versions might be vulnerable?

And do I need to worry?

Inquiring minds want to know.

I'm still on 10.6.8, and VERY happy with it.

Jack

Xairbusdriver · « **Reply #3 on:** September 25, 2014, 09:11:48 AM »

I'm just about knowledgeable to get into trouble using Terminal. Like most Mac apps, Terminal has a command-, Preferences command. In the "Startup" tab, "Shells open with:" accepts several different choices, this archived <Support Document> lists the ones I still see in Mavericks. That's all I know about this 'technology!

Running the script while only temporarily changing the shell still produces the "vulnerable" text. I assume because the command actually forces it to run in bash.

I permanently changed the Terminal Shell choices six times (from bash to each of the five choices below), Quit Terminal, restarted Terminal, edited the command to the reflect the new shell (saved/edited in TextEdit).
Result of tests:

Unfortunately, there seem to be some things (specifically CUPS drivers) that only use bash. I can only assume that changing Terminal, via its Prefs, would affect those things. OTOH, it may make no difference. The problems is that bash has a security hole that needs patching. I suspect Apple may not make this a huge priority as so few Mac users even know that Terminal is available. I hope I'm wrong!

A bit more simple explanation and possible locations where it could exist (routers/printers/web-servers). <‘shell shock’ @ MacIssues.com>

jchuzi · « **Reply #4 on:** September 26, 2014, 06:08:52 AM »

How to unofficially fix the ‘Shell Shock’ bash vulnerability in OS X

Xairbusdriver · « **Reply #5 on:** September 26, 2014, 08:25:15 AM »

If Apple is as fast with this as they were with the iPhone fix, there should be an update for the OS today. Of course, that still leaves all the other hardware not under Apple's control.

jchuzi · « **Reply #6 on:** September 26, 2014, 08:55:47 AM »

Considering that all versions of OS X are affected, will Apple issue a patch for 10.6 and earlier? That's an important question.

Xairbusdriver · « **Reply #7 on:** September 26, 2014, 09:29:20 AM »

I believe the problem, for OS X, anyway, is simply a patch to bash .exe file in /bin. That * should be relatively simple! I can only *assume that the fix will remove the problems with hardware directly connected to any machine calling bash.

This remark (below) from Mr. Cook is, hopefully, just spin trying to offer calm to the wide-spread news coverage. OTOH, I think it could be better worded; without mentioning what "advanced UNIX services" are, many owners of multiple machines may not realize they are possibly "advanced users".

QUOTE("Tim Cook on iMore.com via MacIssues")

With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

* Two most over-used words in any language!

* A seriously dangerous and often mistaken attitude.

jchuzi · « **Reply #8 on:** September 26, 2014, 11:16:32 AM »

Here's another take: Safe from Shellshock: How to protect your home computer from the Bash shell bug

beacher · « **Reply #9 on:** September 26, 2014, 11:39:05 AM »

What I took away from the article was that as long as you're behind the firewall, you're safe. . . Am I wrong?

Xairbusdriver · « **Reply #10 on:** September 26, 2014, 12:26:57 PM »

QUOTE

as long as you're behind the firewall, you're safe

Certainly the recommended standard setup. But there are numerous things using the Internet that also use bash; your cable router may, even the WiFi router (even Apple's), a networked printer, etc. I've read that CUPS drivers use it, be careful of any offers to update those.

The most security we have, right now, is that most malware still needs approval from the administrator to install/run. The real problem with this is on the servers you access via the net and there's really nothing you can do about those other than to avoid un-trusted sites. You might want to turn off Remote Login, Management and Apple Events in your Sharing Prefs, however. Especially if that 'remote' sharing is done on an external connection. This is all my opinion, of course, which won't buy you a cup of java at Fivebucks, even if you include a couple of dollars!

I think Apple will have a download patch by tomorrow, if not by tonight. The bad PR is so wide-spread, even my mother-in-law probably has heard about it!

While searching for known 10.9.5 problem reports, I cam across a thread on the Apple Forums that has some well detailed, if opinionated, recommendations on using the Mac safely. Interesting read, don't agree completely but worth the read. There's a bit that talks about the Firewall that is interesting, also.

<Linc Davis post at or very near the bottom of the page>

tacit · « **Reply #11 on:** September 26, 2014, 04:29:40 PM »

QUOTE(Paddy @ Sep 25 2014, 02:40 AM) <{POST_SNAPBACK}>

So far, nothing from Apple and I ran the command to test my system and as expected, it's vulnerable. However, that's assuming someone can get into my system, and that part of the equation is not fully explained in any of the articles I've read so far.

By default, unless you're doing something unusual on your Mac, people elsewhere can't exploit this vulnerability.

If you are doing something unusual that specifically allows shell access to other people on the Internet, then it is possible for someone to exploit this remotely. In order to do that, you would have to be running some kind of server on your Mac that allows shell access.

You could, for example, run a Web server on your Mac and have it allow CGI scripts to access the shell, and then you might be vulnerable to attack. If that all sounds like gibberish to you, you're probably not doing it.

Paddy · « **Reply #12 on:** September 26, 2014, 05:27:16 PM »

QUOTE(tacit @ Sep 26 2014, 05:29 PM) <{POST_SNAPBACK}>

QUOTE(Paddy @ Sep 25 2014, 02:40 AM) <{POST_SNAPBACK}>

So far, nothing from Apple and I ran the command to test my system and as expected, it's vulnerable. However, that's assuming someone can get into my system, and that part of the equation is not fully explained in any of the articles I've read so far.

By default, unless you're doing something unusual on your Mac, people elsewhere can't exploit this vulnerability.

If you are doing something unusual that specifically allows shell access to other people on the Internet, then it is possible for someone to exploit this remotely. In order to do that, you would have to be running some kind of server on your Mac that allows shell access.

You could, for example, run a Web server on your Mac and have it allow CGI scripts to access the shell, and then you might be vulnerable to attack. If that all sounds like gibberish to you, you're probably not doing it.

It's not gibberish and I'm not doing it.

I was pretty sure that regular users were not vulnerable, but with all the hand-flapping and BIG SCARY HEADLINES (the press just loves those!) combined with the inadequate explanations of how or if this actually affected the average computer user, I wasn't about to go out on a limb and say "don't panic."

Now I will.

Don't panic.

Xairbusdriver · « **Reply #13 on:** September 26, 2014, 06:01:04 PM »

I don't think any of the sites we've linked to have said anyone needs to panic, in fact, just the opposite has been said in most of them, even the Windows sites.

The fact remains that this is a huge problem, even if you are not personally affected. I suspect that most details are not mentioned specifically because not many consumers would understand them. Another reason is to gain click throughout.

There are probably few hackers who haven't figured out how to use this bug except for the neophytes, and there is no point in giving them any more details! Lastly, the more "concern" that can be generated, the sooner all the installations of bash will be updated.

Next.

jchuzi · « **Reply #14 on:** September 26, 2014, 06:41:39 PM »

As the saying goes:

If you can remain calm while those around you are in a panic, you probably don't understand the situation.

News:

Author Topic: Bash bug (Read 4415 times)