Sophos Cloud Optix
If you’re a Mac user, you may have felt wrongfully left out of all the Shellshock kerfuffle over the past few days.
A lot of the talk about the bug has been Linux, Linux, Linux on servers, servers, servers.
Web servers are particularly at risk, because they often handle special functions such as searches using command scripts that are fed with data from external web requests.
For all you know, when you send a web request like this:
http://example.net/search?term=banana
you might very well be telling the server to run a special command in the background, such as:
/usr/local/bin/searchfor --database=website.index \
--searchword=banana
That command might be launched by the server using Bash.
And the server might set some helpful environment variables for the searchfor Bash script to have handy, such as:
USER_AGENT GET_REQUEST HTTP_REFERER
All of these would be populated with data sent in your original request.
So you could control not only when to run Bash, but also what was contained in some of its environment variables when it ran.
That’s most of what you need to exploit Shellshock.
So, with many web servers running Linux, and many Linux servers running Bash, it’s understandable that a lot of the Shellshock buzz has concentrated on this combination.
What about OS X?
Of course, Macs famously use Bash as their default command shell.
Yet most Macs aren’t running Linux, and aren’t servers.
So what about some Shellshock excitement for OS X users?
Here it is: Apple has pushed out an update entitled OS X bash Update 1.0.
So far, at least [2014-09-29T23:55Z], it doesn’t seem to be available via the Software Update... option in the Apple menu, so you will have to get it yourself:
When you’ve done the download, you’ll have a DMG (disk image) file called BashUpdateXxxx.dmg, where Xxxx is your operating system name, e.g. Mavericks:
Open the DMG and you will find a .pkg (installation package) file:
Double click it, give it an administrator password so it can change key system files, and you are done.
You can check that the update worked by opening a Terminal window and issuing the bash -version command:
See?
Geeky bugfixing fun isn’t just for Linux acolytes.
Sadly, there is currently no patch for machines running the public or developer builds of OS X Yosemite.
You could try Macports, though installing from there doesn’t replace or re-link /bin/bash and /bin/sh. You’d have to fix that yourself; presumably any official Apple update would “fix” them back.
They’ve had a couple of updates in the last few days…
I then renamed my Macports binary to bash4 as I now have the Apple update, too.
Thank you Duck!
What this article doesn’t say is that the update from Apple is for the latest releases of Lion, Mountain Lion and Mavericks (10.7.5, 10.8.5 & 10.9.5 respectively). If you attempt to install the update on an earlier release then you will get a message saying “This update requires OS X version 10.x.5 or later” (where x can be 7, 8 or 9 depending on your version of OS X).
That’s good! It means that trying to update against Shellshock will act as a sort of automatic warning that you’ve forgotten the previous update (or more that the previous).
There are LOTS of security fixes, many of them probably much more critical that the Shellshock fix, at least for laptops and desktops, in the 10.7.x, 10.8.x and 10.9.x point releases. If the Shellshock update forces your hand to get those other updates first…that’s a good thing, right?
Being “forced” to update one’s OS in order to get security updates is definitely not “a good thing” if one is unable to update one’s OS for some reason(s). I won’t go into the details – I’ll simply say: please send me about $6000 so I can leap forward from my Snow Leopard…
If you have a particular reason why you can’t use Apple’s updates, then you can still build your own patched version (e.g. via MacPorts). It’s a bit inconvenient, but probably not nearly as inconvenient as whatever is keeping you running version 10.6.
Thanks. I don’t know anything about MacPorts but I’ll check into it. I did find the web site but I’m not sure I understand the lingo there … yet.
My mac book cannot be updated past Snow Leopard. I need help, Harold
and Mac OS X Snow Leopard ? Nothing of course
Snow Leopard really is Apple’s very own XP.
It has passed on. It is no more. It has ceased to be. It’s expired and gone to meet its maker. It’s a stiff. Bereft of life, it rests in peace. If you hadn’t nailed it to the perch it’d be pushing up the daisies. Its metabolic processes are now history; it’s off the twig; it’s kicked the bucket; it’s shuffled off its mortal coil, run down the curtain and joined the choir invisible.
So what exactly are you saying Paul?
😉
I think Paul is trying to say that the fat lady has sung for Snow Leopard, it’s gone to Davy Jones’ locker, it’s six feet under, the plug has been pulled, it’s getting stoned… tombstoned that is, etc
Cute, Paul, but Snow Leopard is alive and well – well, except for all those security updates – on my machine where I am feeding and caring for it as best I am able to, and it is taking care of me pretty well, too. It’s a relationship that endures within a realm of economic reality and necessity.
My laptop won’t handle anything newer than OS 10.6.8. Only way I can upgrade is to buy a newer laptop.
just curious: cases of successful malware exploits against “deceased” 10.6.8 Snow Leopard since last security update (2013) ???????????????????
i do not know of a single case…yet
I had several Trojan Horse attacks and Sophos got me out of trouble. hfb
Apple’s website where they distribute security patches isn’t https.
Nice job, Apple. Truly the most secure platform.
Hmmm. It’s is and it isn’t. Namely you can use https:// URLs and it seems you’ll get the download content via TLS. Or not, and you won’t.
For example, if I start at:
https://support.apple.com/downloads/
Then I get a link here:
https://support.apple.com/kb/DL1769
Which offers me this:
https://support.apple.com/downloads/DL1769/en_US/BashUpdateMavericks.dmg
Unless I’ve read all of this wrong, the only way you can get effected by ShellShock is letting the public into your computer! So unless you deliberately allow your LAN ip through your router, you’re completely safe.
For those companies that need to run a public website etc. then they really do need to look at some of the above measures pretty soon.