Related Articles
CNET
Apple has issued a fix for Shellshock, aka Bash, a bug that could let hackers gain access to some Macintosh computers. But security experts said Tuesday that Apple’s patch is incomplete and leaves one vulnerability open.
Shellshock affects most computers around the world running Unix and Linux, including Apple’s OS X operating-system software for the Mac. A quarter-century old, the Shellshock flaw allows potentially harmful code to run inside a bash shell, which is a common, simple interface for issuing commands to the computer. Potentially, the Shellshock bug could be used to access sensitive information or gain control of the computer.
Tod Beardsley, an engineering manager for security firm Rapid7, told CNET last week that Shellshock is extremely dangerous because it’s easy to exploit and can give hackers the ability to take over Macs. Some researchers have said it’s at least as dangerous as Heartbleed, a similar widespread vulnerability discovered earlier this year.
Screenshot by Seth Rosenblatt/CNET
Apple fixed two vulnerabilities yesterday, but a third Shellshock vulnerability in OS X was discovered by another Rapid7 security researcher, Greg Wiseman. He says he ran a script to test for Bash/Shellshock vulnerabilities and found that even after installing Apple’s patch on OS X Mountain Lion (released in 2012) the operating system was still susceptible to another vulnerability. That vulnerability, CVE-2014-7186, is a bug that could allow for Denial of Service attacks, which would prevent a Mac from connecting to local networks or the Internet.
Apple didn’t respond to a request for comment.
The company said last week that only Mac owners who use advanced Unix settings are affected. “Bash, a Unix command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems,” said Apple. “With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced Unix services.”
Apple issued its patch Monday afternoon, five days after first word of the bug began to spread. Apple’s patch addressed two Shellshock vulnerabilities, known as CVE-2014-7169 and CVE-2014-6271.
Related stories
- ‘Bigger than Heartbleed’: Bash bug could leave IT systems in shellshock
- ‘Vast majority’ of Mac users safe from Shellshock Bash bug, Apple says
- Apple patches Bash vulnerability on Macs
Apple’s fix has yet to be added to its Software Update service for Macs, which pushes updates to the computers automatically. For now, Mac users need to go to Apple’s site and download the patches for OS X Lion (10.7), OS X Mountain Lion (10.8) and OS X Mavericks (10.9). If you want to know which version of OS X your Mac is running, go to the Apple Menu in the upper left corner and click “About this Mac.”
