“Shell Shock” Exploit — Probably Not a Worry For OS X Users

We’ve been hearing a lot about a very serious exploit in a universally-deployed piece of software, the “Shell Shock” bug in the bash shell. I got an alert late yesterday evening, and immediately upgraded the software on my publicly-facing servers.

There’s been some discussion of whether or not it’s an issue for OS X, and some debate over whether it’s a significant exposure on that platform. I didn’t think it was, but I haven’t seen an update for OS X Server to patch it, for example.

My own version of bash is managed through Homebrew, so rather than the stock 3.2, I’m running a newly patched and up-to-date v4.3.25(1). However, I got curious, so I decided to check the stock OS X version of bash for this exploit, and here’s what I found:

TerminalScreenSnapz002

So, the (rather antiquated) OS X version of bash, which has a “modified” date of May 10, has already been patched to disallow this hack, or so it would appear.

UPDATE: Apple’s given a statement on iMore that OS X users should not be at risk from the “Shell Shock” exploit unless they have “advanced UNIX services configured”. I’m not sure which specific “advanced UNIX services” they’re referring to — at a guess, “Web Sharing”, which I don’t do, seems a likely suspect — but that may be the explanation for the commenters reporting vulnerability and me not seeing it on my system (either in /bin/bash or in /bin/sh)…

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

UPDATE, 2014-10-01: Apple has put out a patch for OS X systems.

4 thoughts on ““Shell Shock” Exploit — Probably Not a Worry For OS X Users”

  1. On OSX Mav 10.9.5 with latest updates:

    $ env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
    vulnerable
    hello

    $ bash –version
    GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
    Copyright (C) 2007 Free Software Foundation, Inc.
    $

    1. We’re running apparently identical versions. Why is yours vulnerable and mine not? (What’s the modification date on your bash? Also, you’ve got a few different styles of quote in there, but that may well be WordPress…)

  2. Aphrodite:Desktop darkmoon$ env x='() { :;}; echo VULNERABLE’ bash -c ‘echo hello’
    VULNERABLE
    hello
    Aphrodite:Desktop darkmoon$ bash –version
    GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
    Copyright (C) 2007 Free Software Foundation, Inc.

    Also on 10.9.5

    1. Again, I’m wondering what the difference between your 3.2.51(1) shell and mine is. Mine’s not returning “Vulnerable”, and has a mod date of 10 May. What’s your shell’s mod date…?

Leave a Reply to FiremanSam Cancel reply

Your email address will not be published. Required fields are marked *