Shellshock Flaw Poses Big Security Threat for Mac, other Unix Systems

| Analysis

Move over, Heartbleed, because here comes Shellshock. This security threat has the potential to be even bigger than Heartbleed because of the way it lets attackers remotely access victims computers through the Bash command line shell for Unix and Linux, plus it potentially affects Mac OS X and the iPhone, iPad, and iPod touch.

Bash's Shellshock flaw poses big security threat for Macs and other Linux systemsBash's Shellshock flaw poses big security threat for Macs and other Linux systems

Shellshock is about a 25 year old security flaw in the Bash shell that lets code held in certain variables to be executed immediately and without the victim's knowledge. That code could give attackers deep level access to the system as well as any data they want to harvest.

The flaw is a serious threat for Mac users even if they don't typically use the Terminal app to access their computer's Unix underpinnings because many of the apps they use may be tapping into Bash on some level.

Robert Graham from Errata Security said,

We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we'll never be able to catalogue all the software out there that is vulnerable to the Bash bug.

The treat extends beyond OS X and iOS, too. Many Linux-based computers are susceptible, as are a wide range of other devices such as routers, network connected storage systems, and even devices that can be programmed via the Internet like home automation products — some of which can't be patched, so they'll always be vulnerable.

Shellshock is being compared to Heartbleed, which is an OpenSSL flaw that gained widespread coverage earlier this year. That issue posed a serious to online servers and other computers because of an issue that let attackers steal encryption keys without being detected. With those keys in hand, attackers could intercept and decrypt data passing through online servers.

Apple said OS X and iOS weren't vulnerable to Heartbleed, but other companies scrambled to patch the flaw in their products. Because some companies with vulnerable devices aren't around any more, or aren't supporting their older products, many devices on the Internet are still open to Heartbleed attacks.

"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time," Mr. Graham said. "That means there are lots of old devices on the network vulnerable to this bug."

He added that primary servers likely won't be vulnerable for long many other devices running embedded versions of Linux will be. That doesn't bode well for the computer and smartphone-toting community — including potentially iPhone and Android users — because the devices they use are potentially vulnerable to the Shellshock exploit.

Once an attacker has access to a system through the Bash shell, there isn't much they can't do.

"The potential is enormous – 'getting shell' on a box has always been a major win for an attacker because of the control it offers them over the target environment," said security expert Troy Hunt. "Access to internal data, reconfiguration of environments, publication of their own malicious code etc. It’s almost limitless and it's also readily automatable."

Up next: What Shellshock Means for You

Popular TMO Stories

Comments

Lee Dronick

  Shellshock is about a 25 year old security flaw in the Bash

Darr247 1

The patches for supported versions of the (commercial) RHEL and (free) CentOS were issued yesterday… what is Apple’s problem… too busy recovering from the iOS 8.0.1 debacle?

JustCause

Sorry, doesn’t this only impact people that have enabled Remote Login, which is probably 1-5% of Mac OS X users, 1-5% iPhones Jalibroken and 80-100% Mac OS X Servers?

So It’s an issue, but let’s not be like main stream media and exaggerate too much…

I’d expect a patch from Apple in 2 - 8 weeks.

Lee Dronick

  Sorry, doesn’t this only impact people that have enabled Remote Login

Is that the same as Back to My Mac? Is that even still around?

JustCause

@Lee Dronick - No, separate check box under Sharing & iCloud, Remote Login allows SSH (shell access) & SFTP. “Back to My Mac” is basically Apples VNC via iCloud & WAN Bonjour/Rendezvous/ZeroConf (requires “Screen Sharing” to be enabled).

Lee Dronick

Thanks JustCause

iJack

Well apparently, i am vulnerable. But i am not at comfortable using Terminal to patch anything. So, do I just sit and hope for the best?

Lee Dronick

Same here Jack, but as JustCause says it probably isn’t much of a concern for most users.

wab95

Many thanks for this detailed treatment, Jeff.

You and the rest of the TMO team have been doing yeoman service to the Apple community with these reviews of new products and problems these past few days. Much appreciated.

I did ascertain that my system is vulnerable (no surprise). While I am comfortable going to the command line to get under the Unix bonnet so to speak, the patch that ‘Ask Different’ published requires Xcode, which I don’t have installed, and given my current location, have little hope of accessing. Considering the age of this security flaw, and my location (very few Macs or iOS devices, indeed), I’m content to wait for Apple’s patch.

ftolar59

  Well I’m not remotely comfortable with the possibility of having my computers owned by somebody.  If Apple doesn’t get cracking on a fix for this damned quick, they all get disconnected from the internet.  And if Apple doesn’t put out a fix at all…  All my Macs get recycled and Apple looses me as a customer.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account