Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 4
|
OP
Joined: Aug 2009
Likes: 4 |
Last edited by grelber; 09/25/14 06:48 PM. Reason: New name
|
|
Re: Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
If it is known, it can be fixed. Of course the fix may have all sorts of unintended consequences.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 4
|
OP
Joined: Aug 2009
Likes: 4 |
If it is known, it can be fixed. Indeed. What I find telling is that the major players seem to have gone to ground or climbed into a hole in the wall: "US-CERT advised computer users to obtain operating systems updates from software makers [since] ... Linux providers including Red Hat Inc had already prepared them, but it did not mention an update for OS X." And then, "Apple representatives could not be reached", nor could "Officials with [the non-profit Free Software Foundation, producers of Bash] ... be reached for comment."
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 4
|
OP
Joined: Aug 2009
Likes: 4 |
That's potentially risky business if one isn't deep in the heart of system diddling.
Despite Apple's lackadaisical attitude with respect to Shellshock, I think I'll wait until Apple's patch is proffered.
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
Considering that all versions of OS X are affected, will Apple issue a patch for 10.6 and earlier? That's an important question.
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 8
|
Joined: Aug 2009
Likes: 8 |
Over at MacIssues they said: "Apple does not specify what these services are, but if you are simply using your Mac for common tasks like Web browsing, gaming, word processing, creative design, and even development purposes, then you are likely OK. However, if you have enabled remote access and are running custom services using the command line, then your system might be more vulnerable."
On a Mac since 1984. Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
That's pretty much what Brad Chacos' pointed out in the MacWorld article I linked to. But it's good to emphasize it: this Bash flaw isn't likely to affect 'regular' users. Still, those users may become targets when the exploits we're told are being prepared manage to penetrate servers they visit.
alternaut ◉ moderator
|
|
Re: Shellshock – Bash-related Linux security bug
|
|
Joined: Aug 2009
|
This was on the Apple Download page OS X bash Update 1.0. It has not shown on my software update yet. Hope this is useful.
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 3
Moderator
|
Moderator
Joined: Aug 2009
Likes: 3 |
Considering that all versions of OS X are affected, will Apple issue a patch for 10.6 and earlier? That's an important question. It appears not. Apple has made available OS X bash Update 1.0 for "OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5."
dkmarsh—member, FineTunedMac Co-op Board of Directors
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
It is possible to install a patch for 10.6. See Apple issues fix for ‘Shell Shock’ Bash vulnerability. Scroll down to the part that says: Lastly, this update does not cover OS X 10.6 systems, so if you are still running Snow Leopard, then you will still need to install XCode version 3.2 and then download and compile the fixed version of bash manually. Once XCode is installed, then the follow the instructions to patch bash. Caveat: I have not yet done this myself.
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: Shellshock – Bash-related Linux security bug
|
|
Joined: Aug 2009
|
From: MacInTouch To check that bash has been updated: Open Terminal Execute this command: bash --version The version after applying this update will be: OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12) OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11) *** I installed the Mavericks version and AFAIK, all is right with the world.
Harv 27" i7 iMac (10.13.6), iPhone Xs Max (12.1)
Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
It is possible to install a patch for 10.6. There is an alternative to that method. As I referred to in post #31318 above, TenFourFox made a Bash patch available that ' works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC'. So this helps out the Snowy users as well as those with PPC Macs, provided the latter run at least Tiger. The fix requires downloading the patched Bash (linked to in the first sentence of the TenFourFox blog post under the version number ' 4.3.27'), and the use of Terminal. A detailed description of the procedure to follow is included, as is the suggestion to get expert help if you're not comfortable with Terminal.
alternaut ◉ moderator
|
|
Re: Shellshock – Bash-related Linux security bug
|
|
Joined: Aug 2009
|
Has everyone done the OS X bash Update 1.0 ? and is there any reason not to do it? Thanks Mark
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
To the extent anyone can, the answer to your first question will likely be 'No'. Personally, I'm working on installing the patch for pre-Lion systems, i.e., the ones for which Apple did not provide a solution. As to your second question, AFAICT, there is no reason not to install the patch, based on reports of possible issues with it (so far there are none). That said, right now the biggest risk for most users is associated with unpatched web servers they might visit, or that hold sensitive data.
alternaut ◉ moderator
|
|
Re: Shellshock – Bash-related Linux security bug
|
|
Joined: Aug 2009
|
Thanks, I think I'll wait a day or two and then install. Have put on a backup drive and so far no issues.
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
I performed the TenFour patch on my wife's Mac mini running Mavericks and it worked perfectly. When I tried it on my Mac min running the Yosemite beta the system would not reboot and I ended up having to boot from the Yosemite Recovery Drive and reinstalling Yosemite to restore functionality. It may have been coincidental, but I am not going to try that again. Once burned twice shy. I know, that's what I get from running a beta OS.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
It's good to know that the System Requirements listed for TenFourFox's Bash patch are correct (good up to Mavericks only). It's also good to recall that Apple hasn't yet issued a Bash patch for Yosemite, probably because it'll be incorporated in the final OS version that's supposed to see the light by October 21. FWIW, it looks like Yosemite's Bash is different from its predecessors, and still covered in scaffolding...
alternaut ◉ moderator
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
Today's MacInTouch's Security Reader Report listed several items relevant to various patches of the Shellshock Bash bug: - There is a report that Apple's patch for Mountain Lion may not fix all known Shellshock vulnerabilities; by extension, this may also be true for the other Apple patches. Consequently, patches for older Mac OS X versions (e.g., Snow Leopard and Leopard) derived from the Apple patches may be deficient also. This includes Apple's Lion patch used in Topher Kessler's patch description Jon linked to in post 31389. - There is yet another update (4.2.28) for the TenFourFox Bash patch I listed above in post 31357. This version claims to cover all currently known vulnerabilities. - There now is also a 3rd party installer for this latest TenFourFox Bash patch*. Since I haven't tried to apply the TFF patch (with or without installer) over a system previously patched with an Apple patch I can't be sure this will work without problems. But as the TFF patch is a complete Bash version replacing the existing one, that should work just as well as replacing older TFF patches (which has been done successfully). *) This download link has now been superseded by another after a newer TFF patch became available; for details and a new link, see post 31492.
Last edited by alternaut; 10/11/14 02:15 PM. Reason: updated installer link
alternaut ◉ moderator
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 4
|
OP
Joined: Aug 2009
Likes: 4 |
Since I haven't tried to apply the TTF patch (with or without installer) over a system previously patched with an Apple patch I can't be sure this will work without problems. But as the TTF patch is a complete Bash version replacing the existing one, that should work just as well as replacing older TTF patches (which has been done successfully). Do you mean TFF patch(es)?
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
Yes, of course, thanks for pointing out those typos! PS, I'll fix them to stop further confusion.
alternaut ◉ moderator
|
|
Re: Shellshock – Bash-related Linux security bug
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
When I tried [the TenFour patch] on my Mac min running the Yosemite beta the system would not reboot and I ended up having to boot from the Yosemite Recovery Drive and reinstalling Yosemite to restore functionality. FWIW, according to Francis Barr in today's Security Reader Report (MacInTouch Oct 4) ' the latest Yosemite 10.10 beta 4 updates bash from version 3.2.51 to 3.5.23* [...] suggesting that it has patched the Shellshocked vulnerabilities'. *) 3. 5.23 seems to be a typo, and should probably read 3. 2.53.
Last edited by alternaut; 10/08/14 02:32 PM. Reason: marked probable typo in original quote
alternaut ◉ moderator
|
|
|
|