New 'Bash' software bug may pose bigger threat than 'Heartbleed'

Ain't that gonna be lotsa fun?!

If it is known, it can be fixed. Of course the fix may have all sorts of unintended consequences.

Indeed.
What I find telling is that the major players seem to have gone to ground or climbed into a hole in the wall:
"US-CERT advised computer users to obtain operating systems updates from software makers [since] ... Linux providers including Red Hat Inc had already prepared them, but it did not mention an update for OS X."
And then, "Apple representatives could not be reached", nor could "Officials with [the non-profit Free Software Foundation, producers of Bash] ... be reached for comment."

New name associated with the Bash bug and a minor update (with still no fix in sight):
Security Experts Expect Shellshock Software Bug to Be Significant

How to unofficially fix the ‘Shell Shock’ bash vulnerability in OS X

That's potentially risky business if one isn't deep in the heart of system diddling.

Despite Apple's lackadaisical attitude with respect to Shellshock, I think I'll wait until Apple's patch is proffered.

Considering that all versions of OS X are affected, will Apple issue a patch for 10.6 and earlier? That's an important question.

Good point indeed, and I'm sure we'll soon find out. Meanwhile, you could peruse Safe from Shellshock: How to protect your home computer from the Bash shell bug. As to recompiling 'your own' Bash, or installing a patched Bash version provided by TenFourFox, have a gander at the links in today's MacInTouch Reader responses on the topic (Security).

Over at MacIssues they said:

"Apple does not specify what these services are, but if you are simply using your Mac for common tasks like Web browsing, gaming, word processing, creative design, and even development purposes, then you are likely OK. However, if you have enabled remote access and are running custom services using the command line, then your system might be more vulnerable."

That's pretty much what Brad Chacos' pointed out in the MacWorld article I linked to. But it's good to emphasize it: this Bash flaw isn't likely to affect 'regular' users. Still, those users may become targets when the exploits we're told are being prepared manage to penetrate servers they visit.

This was on the Apple Download page OS X bash Update 1.0. It has not shown on my software update yet. Hope this is useful.

It appears not. Apple has made available OS X bash Update 1.0 for "OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5."

It is possible to install a patch for 10.6. See Apple issues fix for ‘Shell Shock’ Bash vulnerability. Scroll down to the part that says:

Lastly, this update does not cover OS X 10.6 systems, so if you are still running Snow Leopard, then you will still need to install XCode version 3.2 and then download and compile the fixed version of bash manually. Once XCode is installed, then the follow the instructions to patch bash.

Caveat: I have not yet done this myself.

From: MacInTouch

To check that bash has been updated:

Open Terminal

Execute this command:

bash --version

The version after applying this update will be:

OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
***
I installed the Mavericks version and AFAIK, all is right with the world.

There is an alternative to that method. As I referred to in post #31318 above, TenFourFox made a Bash patch available that 'works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC'. So this helps out the Snowy users as well as those with PPC Macs, provided the latter run at least Tiger.

The fix requires downloading the patched Bash (linked to in the first sentence of the TenFourFox blog post under the version number '4.3.27'), and the use of Terminal. A detailed description of the procedure to follow is included, as is the suggestion to get expert help if you're not comfortable with Terminal.

Has everyone done the OS X bash Update 1.0 ? and is there any reason not to do it? Thanks Mark

To the extent anyone can, the answer to your first question will likely be 'No'. Personally, I'm working on installing the patch for pre-Lion systems, i.e., the ones for which Apple did not provide a solution.

As to your second question, AFAICT, there is no reason not to install the patch, based on reports of possible issues with it (so far there are none).

That said, right now the biggest risk for most users is associated with unpatched web servers they might visit, or that hold sensitive data.

Thanks, I think I'll wait a day or two and then install. Have put on a backup drive and so far no issues.

I performed the TenFour patch on my wife's Mac mini running Mavericks and it worked perfectly. When I tried it on my Mac min running the Yosemite beta the system would not reboot and I ended up having to boot from the Yosemite Recovery Drive and reinstalling Yosemite to restore functionality. It may have been coincidental, but I am not going to try that again. Once burned twice shy.

I know, that's what I get from running a beta OS.

It's good to know that the System Requirements listed for TenFourFox's Bash patch are correct (good up to Mavericks only). It's also good to recall that Apple hasn't yet issued a Bash patch for Yosemite, probably because it'll be incorporated in the final OS version that's supposed to see the light by October 21. FWIW, it looks like Yosemite's Bash is different from its predecessors, and still covered in scaffolding...

How to create a ‘Shell Shock’ Bash Update installer for OS X 10.6

Today's MacInTouch's Security Reader Report listed several items relevant to various patches of the Shellshock Bash bug:

- There is a report that Apple's patch for Mountain Lion may not fix all known Shellshock vulnerabilities; by extension, this may also be true for the other Apple patches. Consequently, patches for older Mac OS X versions (e.g., Snow Leopard and Leopard) derived from the Apple patches may be deficient also. This includes Apple's Lion patch used in Topher Kessler's patch description Jon linked to in post 31389.

- There is yet another update (4.2.28) for the TenFourFox Bash patch I listed above in post 31357. This version claims to cover all currently known vulnerabilities.

- There now is also a 3rd party installer for this latest TenFourFox Bash patch*.

Since I haven't tried to apply the TFF patch (with or without installer) over a system previously patched with an Apple patch I can't be sure this will work without problems. But as the TFF patch is a complete Bash version replacing the existing one, that should work just as well as replacing older TFF patches (which has been done successfully).


*) This download link has now been superseded by another after a newer TFF patch became available; for details and a new link, see post 31492.

Do you mean TFF patch(es)?

Yes, of course, thanks for pointing out those typos!

PS, I'll fix them to stop further confusion.

FWIW, according to Francis Barr in today's Security Reader Report (MacInTouch Oct 4) 'the latest Yosemite 10.10 beta 4 updates bash from version 3.2.51 to 3.5.23* [...] suggesting that it has patched the Shellshocked vulnerabilities'.


*) 3.5.23 seems to be a typo, and should probably read 3.2.53.

Unfortunately Yosemite Beta 4 is not available for download at the moment, at least not from Apple.

Two scenarios that can make OS X vulnerable to the Shellshock Bash bug

I just used the 3rd party installer; now, how do I verify that I'm actually running the version of bash that I'm supposed to be running?

Thanks.

Edit: There's a series of Terminal commands here to test for vulnerabilities, and since none of my results matched those displayed, I assume that my system is patched.

But is there a more "direct" way to tell?

Read Apple issues fix for ‘Shell Shock’ Bash vulnerability. The relevant part says:

Once you have run these updates, you can check that bash has been updated by opening the Terminal and running the following command:

bash --version

When you do this, you should see output that reads “GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13).” This should be the same for OS X 10.7 Lion, 10.8 Mountain Lion, and 10.9 Mavericks.

From what I have read, that bash version should be the same for Snowy. Please post back with your results. I haven't installed the update yet so I'd like to know your experience.

Thanks, Jon.


4.3.28 is the version number I expected to see (as per this).

In this post I address comments both Jon and Artie made immediately above. First off, the only quick way to establish your Bash vulnerability status at the moment is to run a Bash check script or the equivalent Terminal commands.

The comment I made in post #31391 above about the Apple patches possibly not fixing all vulnerabilities was based on the result of a Bash check script by Hanno Böck and run by Rapid7 security researcher Greg Wiseman. Böck's script currently tests for 6 different Bash vulnerabilities. Running a check after an optimal patch should indicate that all 6 vulnerabilities have been patched. It was initially not clear whether Wiseman's results actually differed from those listed by Francis Barr in MacInTouch on October 4th, or whether he interpreted them differently. But in an Oct. 2 update Wiseman already stated that the vulnerabilities he found to be not addressed by the Apple patches were in fact not exploitable. This implies that the available Apple patches are OK, at least for now (see below).

The version of GNU bash shipped with Mac OS X is 3.2; the current version is 4.3. Both had 'the' flaw, and both were patched, with the patch number appended to the Bash version number. Which one the Bash-check produces depends on your OS X version and its associated Bash version, or the patch version which replaced it. While Apple stayed with 3.2 for their patch, TFF used v.4.3. In this context, Bash 3.2, patches 52, 53, and 54 correspond to Bash 4.3 patches 25, 26, and 27.
All that said, there is really no such thing as 'the' flaw, since additional flaws are found on almost a daily basis once Bash came under increased scrutiny. Additional patches can be expected, as well as official Apple action in case of newly found exploitable flaws.

PS, it appears that a patch version number (i.e., 3.5.23) in the quote from MIT poster Francis Barr I included in post #31402 contained a typo. I have now marked it there as such. The Bash test result in Francis Barr's MIT post lists the proper version number, 3.2.53.

A (probably) final update from TenFourFox Development...


Edit: v 4.3.30 d/l's as a .gz file and opens to...an unidentified something; anybody got any ideas?

The 'bash-4.3.30-10.4u' file you get when you decompress that gz archive is the properly formatted and patched bash version you need to replace your current one with, using the procedure described in detail further down the page you linked to.

If you prefer to use an installer for this patch, go HERE, where you'll find a link to the updated version of the old installer. The download option I posted in post 31391 above used patch v4.3.28, and has now been removed and replaced with the new one here.

The version of bash used in Yosemite beta 5 is GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin14). However it passes all of the TenFourFox tests.

You're fine if you patched your system and it passes the flaw test, regardless of exactly which patch version you applied. As I mentioned before, those Bash patches keep on coming, and their relevance to the Shellshock flaws—assuming there is one—is not always clear. If you want to look into the details, check out the various patch reports in their respective repositories:

- bash-3.2 patches
- bash-4.3 patches

Thanks for the clarification - Because I had your original link in hand I had never read down the page. - and the new installer link.