back to article Apple finally patches Bash Shellshock vuln that WAS NOT A WORRY, OK?

Apple and F5 are the latest big-name vendors to post responses to the “Shellshock” vulnerability in Bash. Just days after saying “the vast majority of OS X users are not at risk”, Cupertino has posted Bash fixes for OS X Lion, Mountain Lion, and Mavericks. The fix is now available in OS X users' Software Update. It would, …

  1. DerekCurrie
    Holmes

    "FINALLY!" <-Snarled 5 Year Old. Some more objective information:

    Setting aside the childish headline...

    There are currently 6 known and listed Bash CVEs. That number will probably increase tomorrow. (CVE stands for Common Vulnerabilities and Exposures. Each CVE describes a specific security flaw found in public software). The APPLE-SA-2014-09-29-1 OS X bash Update 1.0 patched TWO of those six. Three further CVEs have been provided with descriptions at NIST (the USA National Institute of Standards and Technology), indicating that patches have been coded and are forthcoming. One CVE remains undescribed and unlisted at NIST, indicating that no patch has as yet been coded.

    I'll be keeping track of the Bash CVEs and Apple's patchfest at my Mac-Security blog. I promise not to be TOO childish. (o_O)

    http://mac-security.blogspot.com/2014/09/coverage-of-apples-bash-shellshock-bugs.html

    1. amanfromMars 1 Silver badge

      Re: "FINALLY!" .... Is there something New and Exciting!

      Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. …. 2014-09-29, 6:30 pm:… http://mac-security.blogspot.co.uk/2014/09/coverage-of-apples-bash-shellshock-bugs.html

      Hi, DerekCurrie,

      If you were to tell me and El Regers that “better detecting the end of the function statement” is any better than just an educated subjective guess at a constantly moving and evolving objective targeting functions and common vulnerabilities with exposure to explosive exploits, I would wholeheartedly and fundamentally disagree with you.

      And a patch is surely only a desperate temporary fix and not at all a viable working solution to an abiding burgeoning problem which is presenting opportunities currently daily to …. well the Zer0Day Vector is a Novel Creative CyberSpace Command and Control Sector which Bugs the Captive Monopolist Capitalist Investment Market Place to Deny, Degrade and/or Destroy All Opposing Competition and Competitive Opposition.

  2. Richard Boyce
    Thumb Down

    Not available

    Not available to me here in the UK, yet. Maybe the update's been pulled to apply a patch to the patch. Maybe the recent update to Mavericks broke more than TextEdit and Preview on my Mac, also breaking Software Update.

    Maybe Apple will one day stop breaking as much as they fix. Grrr.

    1. Charlie Clark Silver badge

      Re: Not available

      Or maybe they will grow up and bless MacPorts or Homebrew as the systems for managing their POSIX stuff and just integrate it with their software update GUI.

      At the moment I have to do the following every day:

      sudo port sync && port outdated

      if there are any outdated packages

      sudo port upgrade outdated && sudo port uninstall inactive

      Don't wait for Apple: install MacPorts from http://www.macports.org

      1. Wzrd1 Silver badge

        Re: Not available

        Wow! Thanks for reminding me, I had put off updating macports last night, after a disconnect at an inopportune time borked the install.

      2. Dan 55 Silver badge

        Re: Not available

        MacPorts won't update the system bash, so you've still got a problem.

        1. Charlie Clark Silver badge

          Re: Not available

          sudo port install bash

          1. Dan 55 Silver badge

            Re: Not available

            Yeah, but that's not the system bash. Check the path. You've got two copies of bash and one is unpatched unless you've installed Apple's bash update.

            1. Vargs

              Re: Not available

              Yup /bin/sh and /bin/bash are both slightly different executables of Bash. Although (if you have Macports) the new Bash you just built will be at /opt/local/bin/bash, and your log-in shell will pick that before the /bin/bash. Background process don't have their PATH set that way and will execute /bin/sh.

              Incidentally, I wouldn't recommend that sequence of port commands. Best practice is to do

              # port selfupdate

              # port uninstall inactive

              # port upgrade outdated

              That way, if a port upgrade is borked, as they sometimes are, you can roll back to the previously working version.

        2. Hans 1

          Re: Not available

          The bash from MacPorts comes with a cool command built-in named "cp", you know.

          1. Dan 55 Silver badge

            Re: Not available

            You're confident that MacPort's bash 4.3 is 100% backwards compatible with Apple's bash 3.2 so it won't disrupt the other Apple stuff which calls it?

            http://tiswww.case.edu/php/chet/bash/COMPAT

      3. Frankee Llonnygog

        Re: Not available

        You know how to use the command line, and you find yourself typing the same command every day... I feel your pain. If only there were a way to automate this

        1. Charlie Clark Silver badge

          Re: Not available

          @Frankee

          Sure, I could write a cronjob to run as root to do this but: will my machine be on when it's due to run? Do I get to tell it not to run because I'm on a shitty or expensive network?

          Anyway the main point is Apple ships a load of Posix stuff, some of which is weirdly patched and or broken and doesn't maintain it. Not everyone is familiar with the command line and even those of us who are have better things to do. Taking the Posix stuff out of the OS and treating them as third party ports would make it a lot easier for Apple to integrate (and test) upstream fixes and include it in a user friendly GUI like Software Update.

      4. Mark 65

        Re: Not available

        "Or maybe they will grow up and bless MacPorts or Homebrew as the systems for managing their POSIX stuff and just integrate it with their software update GUI."

        Yeah, that'd be nice. Took a whole load of effort for me just to be able to subscribe for UPS outage broadcasts from my NAS because OSX wants to be the first and only listener.

    2. Wzrd1 Silver badge

      Re: Not available

      Didn't show up in my crApp store either, had to manually go to Apple and download it.

      Not that I needed it, despite a few CGI scripts I happen to run, I had already downloaded bash, compiled and installed the debugged one.

  3. Anonymous Coward
    Anonymous Coward

    Are these vendors working together at all on bash patches?

    Because based on the patch of the day club at Red Hat (on version #3 and counting...) Apple having a patch that the poster above claims only addresses some of the flaws, others having patches for some of their products but not others it seems like everyone's security team is coming up with their own fixes for bash that only incrementally address the issues.

    Hopefully at some point someone will have a patch that actually fixes the flaw 100% (without adding new vulnerabilities) and everyone else will copy those changes into their version. Apparently no one wants to work together because they don't want that cooperation to delay their fixes, but it is worse to put out patches that only partially address the issue than it is to be kept waiting for a complete fix.

    Sounds like OS X will need at least one more cycle if this isn't a complete fix, and Red Hat has already had three and there's no reason to believe that's it, so given these two examples that's probably going to be par for the course for everyone. Sounds like a really shitty week to be a sysadmin, sure am glad I'm not!

  4. Anonymous Coward
    Anonymous Coward

    Is this really relevant for OS X?

    I mean, how many OS X users run services over the network that can spawn bash to service requests?

    I guess the mainstream Mac user base does not know what a service is, and for them "bash" is something related to violence. For the remaining small set of developers and techies using Macs, this is likely also not very relevant: no one with a midge of computer knowledge leaves unnecessary services running, much less those that allow remote bash execution.

    Not an Apple fan, by the way. But this bash bug is already being exposed out of proportion. Yes, Linux servers running software old enough to fork bash to do something can be affected. Yes, perhaps there are some appliances our there not using BusyBox that are affected. Rest of the machines, better look out for Linux infected machines trying to serve some malware, there's very little else you can/should do about it.

    1. big_D Silver badge

      Re: Is this really relevant for OS X?

      I've heard reports, although no confirmation, that OS X uses BASH for DHCP request purposes, so a malicious DHCP request in a coffee shop etc. could cause problems; but I agree, generally, most Apple users won't have been at immediate risk, if they aren't running something like an Apache stack or using their OS X machine as an Internet service gateway using BASH as the gateway.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Is this really relevant for OS X?

        > an Internet service gateway using BASH as the gateway.

        What do I see?

        1) CGI does not mean there is an "Internet service gateway", whatever that is.

        2) bash is not written BASH

        Clarity, please!

        1. big_D Silver badge

          Re: Is this really relevant for OS X?

          Okay, by Internet service gateway I mean an Internet facing CGI. One that is restricted to an Intranet could cause problems long term, but it isn't a priority one, stop the service now, until we get a patch, type of bug.

      2. whatevs...

        Re: Is this really relevant for OS X?

        "I've heard reports, although no confirmation, that OS X uses BASH for DHCP request purposes, so a malicious DHCP request in a coffee shop etc. could cause problems"

        You've got it backwards; unpatched versions on Linux work this way. The reason that it's not as pressing for OS X is because it is not vulnerable via DHCP, whereas Linux based distro are.

      3. dr2chase

        Re: Is this really relevant for OS X?

        Now you’ll have heard a report that it’s not DHCP-vulnerable, because I tested it myself, and also wrote down the test that I performed, because otherwise why would you trust me (or anyone else):

        http://dr2chase.wordpress.com/2014/09/27/documenting-dhcp-bash-vuln-test-on-osx-mavericks/

        Executive summary: Mavericks DHCP client not vulnerable.

        1. Charlie Clark Silver badge

          Re: Is this really relevant for OS X?

          Executive summary: Mavericks DHCP client not vulnerable.

          But is it vulnerable to other exploits?

          1. dr2chase

            Re: Is this really relevant for OS X?

            I’d never say never, but at least that exploit doesn’t get in. If you can suggest another in that style, I can easily test it, and if you had a Tomato router and a Mac you probably could too (that’s why I showed the steps). My guess, since I tested pre-patch, is that Apple is using something other than bash behind its DHCP.

            But sure, buffer overruns, attacks on some other scripting language, who knows?

    2. TheOtherHobbes

      Re: Is this really relevant for OS X?

      >I mean, how many OS X users run services over the network that can spawn bash to service requests?

      You know Apple sells something called OS X Server, which - they claim - is a good way for small biz and home users to set up LANs and serve web pages on the Internets? Running - or trying to run - network services is exactly what it's supposed to do.

      Now, IME Server is worse than a joke, and many parts (such as Samba) simply don't work.

      But there are people trying to use this thing, and if Apple haven't patched it properly they're going to get bot-pwned.

    3. Charlie Clark Silver badge

      Re: Is this really relevant for OS X?

      Lots of stuff in OS X is run via the shell so the exposure is there. Anyone who has web sharing enabled is in danger so Apple is responsible for protecting them.

    4. Amorous Cowherder

      Re: Is this really relevant for OS X?

      Ah so just 'cos very few people will use it, we don't need to worry too much about it? OK.

      Hmmm, I do anticipate a lot of tears before bedtime if we all followed that sort of thinking.

  5. Vargs

    Why Bash at all?

    What baffles me is why some Linux distros and Mac OS X would use such a heavyweight shell as /bin/sh. Bash is supposedly a drop-in replacement for the Bourne shell but with loads of enhancements to the user interface -- which are surely not necessary for background use.

    If background scripts want to use Bash's programming functionality they can have themselves run in it using a hashbang directive.

    The FreeBSD userland (which is upon which Mac OS X is based) takes exactly this approach. It has a lightweight POSIX Bourne shell at /bin/sh, and requires system scripts to stick to core syntax.

    1. Charlie Clark Silver badge

      Re: Why Bash at all?

      Mac OS doesn't have a root user in the same way that BSD does so you run sudo -s with the same shell as your user. I agree root with the C-shell would be better but that's the way it is.

      1. Dan 55 Silver badge

        Re: Why Bash at all?

        You can enable the root user with Preferences > Users & Groups > Login Options > Network Account Server > Join > Open Directory Utility > Edit > Enable Root User.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon