An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
Shellshock – Bash-related Linux security bug
#31296 09/25/14 07:58 AM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4

Last edited by grelber; 09/25/14 06:48 PM. Reason: New name
Re: Bash-related Linux security bug
grelber #31297 09/25/14 01:32 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
If it is known, it can be fixed. Of course the fix may have all sorts of unintended consequences.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Bash-related Linux security bug
joemikeb #31298 09/25/14 02:01 PM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: joemikeb
If it is known, it can be fixed.

Indeed.
What I find telling is that the major players seem to have gone to ground or climbed into a hole in the wall:
"US-CERT advised computer users to obtain operating systems updates from software makers [since] ... Linux providers including Red Hat Inc had already prepared them, but it did not mention an update for OS X."
And then, "Apple representatives could not be reached", nor could "Officials with [the non-profit Free Software Foundation, producers of Bash] ... be reached for comment."

Re: Shellshock – Bash-related Linux security bug
grelber #31301 09/25/14 06:50 PM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
New name associated with the Bash bug and a minor update (with still no fix in sight):
Security Experts Expect Shellshock Software Bug to Be Significant

Re: Shellshock – Bash-related Linux security bug
grelber #31314 09/26/14 10:07 AM
Joined: Aug 2009
Likes: 7
Offline

Joined: Aug 2009
Likes: 7


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Shellshock – Bash-related Linux security bug
jchuzi #31315 09/26/14 11:30 AM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
That's potentially risky business if one isn't deep in the heart of system diddling.

Despite Apple's lackadaisical attitude with respect to Shellshock, I think I'll wait until Apple's patch is proffered.

Re: Shellshock – Bash-related Linux security bug
grelber #31316 09/26/14 12:54 PM
Joined: Aug 2009
Likes: 7
Offline

Joined: Aug 2009
Likes: 7
Considering that all versions of OS X are affected, will Apple issue a patch for 10.6 and earlier? That's an important question.


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Shellshock – Bash-related Linux security bug
jchuzi #31318 09/26/14 02:45 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Good point indeed, and I'm sure we'll soon find out. Meanwhile, you could peruse Safe from Shellshock: How to protect your home computer from the Bash shell bug. As to recompiling 'your own' Bash, or installing a patched Bash version provided by TenFourFox, have a gander at the links in today's MacInTouch Reader responses on the topic (Security).


alternaut moderator
Re: Shellshock – Bash-related Linux security bug
alternaut #31323 09/26/14 05:36 PM
Joined: Aug 2009
Likes: 8
Offline

Joined: Aug 2009
Likes: 8
Over at MacIssues they said:

"Apple does not specify what these services are, but if you are simply using your Mac for common tasks like Web browsing, gaming, word processing, creative design, and even development purposes, then you are likely OK. However, if you have enabled remote access and are running custom services using the command line, then your system might be more vulnerable."


On a Mac since 1984.
Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
Re: Shellshock – Bash-related Linux security bug
Ira L #31324 09/26/14 10:17 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
That's pretty much what Brad Chacos' pointed out in the MacWorld article I linked to. But it's good to emphasize it: this Bash flaw isn't likely to affect 'regular' users. Still, those users may become targets when the exploits we're told are being prepared manage to penetrate servers they visit.


alternaut moderator
Re: Shellshock – Bash-related Linux security bug
grelber #31346 09/29/14 10:32 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
This was on the Apple Download page OS X bash Update 1.0. It has not shown on my software update yet. Hope this is useful.

Re: Shellshock – Bash-related Linux security bug
jchuzi #31347 09/29/14 11:06 PM
Joined: Aug 2009
Likes: 3
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 3

Originally Posted By: jchuzi
Considering that all versions of OS X are affected, will Apple issue a patch for 10.6 and earlier? That's an important question.

It appears not. Apple has made available OS X bash Update 1.0 for "OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5."



dkmarsh—member, FineTunedMac Co-op Board of Directors
Re: Shellshock – Bash-related Linux security bug
dkmarsh #31350 09/30/14 09:52 AM
Joined: Aug 2009
Likes: 7
Offline

Joined: Aug 2009
Likes: 7
It is possible to install a patch for 10.6. See Apple issues fix for ‘Shell Shock’ Bash vulnerability. Scroll down to the part that says:

Lastly, this update does not cover OS X 10.6 systems, so if you are still running Snow Leopard, then you will still need to install XCode version 3.2 and then download and compile the fixed version of bash manually. Once XCode is installed, then the follow the instructions to patch bash.

Caveat: I have not yet done this myself.


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Shellshock – Bash-related Linux security bug
grelber #31351 09/30/14 11:50 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
From: MacInTouch

To check that bash has been updated:

Open Terminal

Execute this command:

bash --version

The version after applying this update will be:

OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
***
I installed the Mavericks version and AFAIK, all is right with the world.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Shellshock – Bash-related Linux security bug
jchuzi #31357 09/30/14 07:56 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: jchuzi
It is possible to install a patch for 10.6.

There is an alternative to that method. As I referred to in post #31318 above, TenFourFox made a Bash patch available that 'works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC'. So this helps out the Snowy users as well as those with PPC Macs, provided the latter run at least Tiger.

The fix requires downloading the patched Bash (linked to in the first sentence of the TenFourFox blog post under the version number '4.3.27'), and the use of Terminal. A detailed description of the procedure to follow is included, as is the suggestion to get expert help if you're not comfortable with Terminal.


alternaut moderator
Re: Shellshock – Bash-related Linux security bug
alternaut #31359 10/01/14 12:21 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Has everyone done the OS X bash Update 1.0 ? and is there any reason not to do it? Thanks Mark

Re: Shellshock – Bash-related Linux security bug
MarkG #31360 10/01/14 01:39 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
To the extent anyone can, the answer to your first question will likely be 'No'. wink Personally, I'm working on installing the patch for pre-Lion systems, i.e., the ones for which Apple did not provide a solution.

As to your second question, AFAICT, there is no reason not to install the patch, based on reports of possible issues with it (so far there are none).

That said, right now the biggest risk for most users is associated with unpatched web servers they might visit, or that hold sensitive data.


alternaut moderator
Re: Shellshock – Bash-related Linux security bug
alternaut #31361 10/01/14 02:44 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Thanks, I think I'll wait a day or two and then install. Have put on a backup drive and so far no issues.

Re: Shellshock – Bash-related Linux security bug
alternaut #31363 10/01/14 03:19 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
I performed the TenFour patch on my wife's Mac mini running Mavericks and it worked perfectly. When I tried it on my Mac min running the Yosemite beta the system would not reboot and I ended up having to boot from the Yosemite Recovery Drive and reinstalling Yosemite to restore functionality. It may have been coincidental, but I am not going to try that again. Once burned twice shy.

I know, that's what I get from running a beta OS. tongue


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Shellshock – Bash-related Linux security bug
joemikeb #31364 10/01/14 03:58 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
It's good to know that the System Requirements listed for TenFourFox's Bash patch are correct (good up to Mavericks only). wink It's also good to recall that Apple hasn't yet issued a Bash patch for Yosemite, probably because it'll be incorporated in the final OS version that's supposed to see the light by October 21. FWIW, it looks like Yosemite's Bash is different from its predecessors, and still covered in scaffolding...


alternaut moderator
Re: Shellshock – Bash-related Linux security bug
alternaut #31389 10/03/14 10:07 AM
Joined: Aug 2009
Likes: 7
Offline

Joined: Aug 2009
Likes: 7


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Shellshock – Bash-related Linux security bug
jchuzi #31391 10/04/14 12:34 AM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Today's MacInTouch's Security Reader Report listed several items relevant to various patches of the Shellshock Bash bug:

- There is a report that Apple's patch for Mountain Lion may not fix all known Shellshock vulnerabilities; by extension, this may also be true for the other Apple patches. Consequently, patches for older Mac OS X versions (e.g., Snow Leopard and Leopard) derived from the Apple patches may be deficient also. This includes Apple's Lion patch used in Topher Kessler's patch description Jon linked to in post 31389.

- There is yet another update (4.2.28) for the TenFourFox Bash patch I listed above in post 31357. This version claims to cover all currently known vulnerabilities.

- There now is also a 3rd party installer for this latest TenFourFox Bash patch*.

Since I haven't tried to apply the TFF patch (with or without installer) over a system previously patched with an Apple patch I can't be sure this will work without problems. But as the TFF patch is a complete Bash version replacing the existing one, that should work just as well as replacing older TFF patches (which has been done successfully).


*) This download link has now been superseded by another after a newer TFF patch became available; for details and a new link, see post 31492.

Last edited by alternaut; 10/11/14 02:15 PM. Reason: updated installer link

alternaut moderator
Re: Shellshock – Bash-related Linux security bug
alternaut #31392 10/04/14 08:36 AM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: alternaut
Since I haven't tried to apply the TTF patch (with or without installer) over a system previously patched with an Apple patch I can't be sure this will work without problems. But as the TTF patch is a complete Bash version replacing the existing one, that should work just as well as replacing older TTF patches (which has been done successfully).

Do you mean TFF patch(es)?

Re: Shellshock – Bash-related Linux security bug
grelber #31396 10/04/14 06:57 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Yes, of course, thanks for pointing out those typos! blush

PS, I'll fix them to stop further confusion.


alternaut moderator
Re: Shellshock – Bash-related Linux security bug
joemikeb #31402 10/04/14 11:07 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: joemikeb
When I tried [the TenFour patch] on my Mac min running the Yosemite beta the system would not reboot and I ended up having to boot from the Yosemite Recovery Drive and reinstalling Yosemite to restore functionality.

FWIW, according to Francis Barr in today's Security Reader Report (MacInTouch Oct 4) 'the latest Yosemite 10.10 beta 4 updates bash from version 3.2.51 to 3.5.23* [...] suggesting that it has patched the Shellshocked vulnerabilities'.


*) 3.5.23 seems to be a typo, and should probably read 3.2.53.

Last edited by alternaut; 10/08/14 02:32 PM. Reason: marked probable typo in original quote

alternaut moderator
Page 1 of 2 1 2

Moderated by  alternaut, cyn 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.040s Queries: 65 (0.028s) Memory: 0.7076 MB (Peak: 0.8855 MB) Data Comp: Zlib Server Time: 2024-03-28 09:02:32 UTC
Valid HTML 5 and Valid CSS