An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 1 of 2 1 2 >
Topic Options
#31296 - 09/25/14 12:58 AM Shellshock – Bash-related Linux security bug
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||


Edited by grelber (09/25/14 11:48 AM)
Edit Reason: New name

Top
#31297 - 09/25/14 06:32 AM Re: Bash-related Linux security bug [Re: grelber]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
If it is known, it can be fixed. Of course the fix may have all sorts of unintended consequences.
_________________________
joemikeb • moderator

Top
#31298 - 09/25/14 07:01 AM Re: Bash-related Linux security bug [Re: joemikeb]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: joemikeb
If it is known, it can be fixed.

Indeed.
What I find telling is that the major players seem to have gone to ground or climbed into a hole in the wall:
"US-CERT advised computer users to obtain operating systems updates from software makers [since] ... Linux providers including Red Hat Inc had already prepared them, but it did not mention an update for OS X."
And then, "Apple representatives could not be reached", nor could "Officials with [the non-profit Free Software Foundation, producers of Bash] ... be reached for comment."

Top
#31301 - 09/25/14 11:50 AM Re: Shellshock – Bash-related Linux security bug [Re: grelber]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
New name associated with the Bash bug and a minor update (with still no fix in sight):
Security Experts Expect Shellshock Software Bug to Be Significant

Top
#31314 - 09/26/14 03:07 AM Re: Shellshock – Bash-related Linux security bug [Re: grelber]
jchuzi Online


Registered: 08/04/09
Loc: New York State
_________________________
Jon

OS 10.14.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#31315 - 09/26/14 04:30 AM Re: Shellshock – Bash-related Linux security bug [Re: jchuzi]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
That's potentially risky business if one isn't deep in the heart of system diddling.

Despite Apple's lackadaisical attitude with respect to Shellshock, I think I'll wait until Apple's patch is proffered.

Top
#31316 - 09/26/14 05:54 AM Re: Shellshock – Bash-related Linux security bug [Re: grelber]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Considering that all versions of OS X are affected, will Apple issue a patch for 10.6 and earlier? That's an important question.
_________________________
Jon

OS 10.14.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#31318 - 09/26/14 07:45 AM Re: Shellshock – Bash-related Linux security bug [Re: jchuzi]
alternaut Offline

Moderator

Registered: 08/04/09
Good point indeed, and I'm sure we'll soon find out. Meanwhile, you could peruse Safe from Shellshock: How to protect your home computer from the Bash shell bug. As to recompiling 'your own' Bash, or installing a patched Bash version provided by TenFourFox, have a gander at the links in today's MacInTouch Reader responses on the topic (Security).
_________________________
alternaut moderator

Top
#31323 - 09/26/14 10:36 AM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
Ira L Online


Registered: 08/13/09
Loc: California
Over at MacIssues they said:

"Apple does not specify what these services are, but if you are simply using your Mac for common tasks like Web browsing, gaming, word processing, creative design, and even development purposes, then you are likely OK. However, if you have enabled remote access and are running custom services using the command line, then your system might be more vulnerable."
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.14.x,; iPhones, iPods and iPads galore!

Top
#31324 - 09/26/14 03:17 PM Re: Shellshock – Bash-related Linux security bug [Re: Ira L]
alternaut Offline

Moderator

Registered: 08/04/09
That's pretty much what Brad Chacos' pointed out in the MacWorld article I linked to. But it's good to emphasize it: this Bash flaw isn't likely to affect 'regular' users. Still, those users may become targets when the exploits we're told are being prepared manage to penetrate servers they visit.
_________________________
alternaut moderator

Top
#31346 - 09/29/14 03:32 PM Re: Shellshock – Bash-related Linux security bug [Re: grelber]
MarkG Offline


Registered: 08/06/09
This was on the Apple Download page OS X bash Update 1.0. It has not shown on my software update yet. Hope this is useful.

Top
#31347 - 09/29/14 04:06 PM Re: Shellshock – Bash-related Linux security bug [Re: jchuzi]
dkmarsh Online
Moderator

Registered: 08/04/09

Originally Posted By: jchuzi
Considering that all versions of OS X are affected, will Apple issue a patch for 10.6 and earlier? That's an important question.

It appears not. Apple has made available OS X bash Update 1.0 for "OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5."
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#31350 - 09/30/14 02:52 AM Re: Shellshock – Bash-related Linux security bug [Re: dkmarsh]
jchuzi Online


Registered: 08/04/09
Loc: New York State
It is possible to install a patch for 10.6. See Apple issues fix for ‘Shell Shock’ Bash vulnerability. Scroll down to the part that says:

Lastly, this update does not cover OS X 10.6 systems, so if you are still running Snow Leopard, then you will still need to install XCode version 3.2 and then download and compile the fixed version of bash manually. Once XCode is installed, then the follow the instructions to patch bash.

Caveat: I have not yet done this myself.
_________________________
Jon

OS 10.14.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#31351 - 09/30/14 04:50 AM Re: Shellshock – Bash-related Linux security bug [Re: grelber]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
From: MacInTouch

To check that bash has been updated:

Open Terminal

Execute this command:

bash --version

The version after applying this update will be:

OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
***
I installed the Mavericks version and AFAIK, all is right with the world.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#31357 - 09/30/14 12:56 PM Re: Shellshock – Bash-related Linux security bug [Re: jchuzi]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: jchuzi
It is possible to install a patch for 10.6.

There is an alternative to that method. As I referred to in post #31318 above, TenFourFox made a Bash patch available that 'works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC'. So this helps out the Snowy users as well as those with PPC Macs, provided the latter run at least Tiger.

The fix requires downloading the patched Bash (linked to in the first sentence of the TenFourFox blog post under the version number '4.3.27'), and the use of Terminal. A detailed description of the procedure to follow is included, as is the suggestion to get expert help if you're not comfortable with Terminal.
_________________________
alternaut moderator

Top
#31359 - 10/01/14 05:21 AM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
MarkG Offline


Registered: 08/06/09
Has everyone done the OS X bash Update 1.0 ? and is there any reason not to do it? Thanks Mark

Top
#31360 - 10/01/14 06:39 AM Re: Shellshock – Bash-related Linux security bug [Re: MarkG]
alternaut Offline

Moderator

Registered: 08/04/09
To the extent anyone can, the answer to your first question will likely be 'No'. wink Personally, I'm working on installing the patch for pre-Lion systems, i.e., the ones for which Apple did not provide a solution.

As to your second question, AFAICT, there is no reason not to install the patch, based on reports of possible issues with it (so far there are none).

That said, right now the biggest risk for most users is associated with unpatched web servers they might visit, or that hold sensitive data.
_________________________
alternaut moderator

Top
#31361 - 10/01/14 07:44 AM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
MarkG Offline


Registered: 08/06/09
Thanks, I think I'll wait a day or two and then install. Have put on a backup drive and so far no issues.

Top
#31363 - 10/01/14 08:19 AM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
I performed the TenFour patch on my wife's Mac mini running Mavericks and it worked perfectly. When I tried it on my Mac min running the Yosemite beta the system would not reboot and I ended up having to boot from the Yosemite Recovery Drive and reinstalling Yosemite to restore functionality. It may have been coincidental, but I am not going to try that again. Once burned twice shy.

I know, that's what I get from running a beta OS. tongue
_________________________
joemikeb • moderator

Top
#31364 - 10/01/14 08:58 AM Re: Shellshock – Bash-related Linux security bug [Re: joemikeb]
alternaut Offline

Moderator

Registered: 08/04/09
It's good to know that the System Requirements listed for TenFourFox's Bash patch are correct (good up to Mavericks only). wink It's also good to recall that Apple hasn't yet issued a Bash patch for Yosemite, probably because it'll be incorporated in the final OS version that's supposed to see the light by October 21. FWIW, it looks like Yosemite's Bash is different from its predecessors, and still covered in scaffolding...
_________________________
alternaut moderator

Top
#31389 - 10/03/14 03:07 AM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
jchuzi Online


Registered: 08/04/09
Loc: New York State
_________________________
Jon

OS 10.14.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#31391 - 10/03/14 05:34 PM Re: Shellshock – Bash-related Linux security bug [Re: jchuzi]
alternaut Offline

Moderator

Registered: 08/04/09
Today's MacInTouch's Security Reader Report listed several items relevant to various patches of the Shellshock Bash bug:

- There is a report that Apple's patch for Mountain Lion may not fix all known Shellshock vulnerabilities; by extension, this may also be true for the other Apple patches. Consequently, patches for older Mac OS X versions (e.g., Snow Leopard and Leopard) derived from the Apple patches may be deficient also. This includes Apple's Lion patch used in Topher Kessler's patch description Jon linked to in post 31389.

- There is yet another update (4.2.28) for the TenFourFox Bash patch I listed above in post 31357. This version claims to cover all currently known vulnerabilities.

- There now is also a 3rd party installer for this latest TenFourFox Bash patch*.

Since I haven't tried to apply the TFF patch (with or without installer) over a system previously patched with an Apple patch I can't be sure this will work without problems. But as the TFF patch is a complete Bash version replacing the existing one, that should work just as well as replacing older TFF patches (which has been done successfully).


*) This download link has now been superseded by another after a newer TFF patch became available; for details and a new link, see post 31492.


Edited by alternaut (10/11/14 07:15 AM)
Edit Reason: updated installer link
_________________________
alternaut moderator

Top
#31392 - 10/04/14 01:36 AM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: alternaut
Since I haven't tried to apply the TTF patch (with or without installer) over a system previously patched with an Apple patch I can't be sure this will work without problems. But as the TTF patch is a complete Bash version replacing the existing one, that should work just as well as replacing older TTF patches (which has been done successfully).

Do you mean TFF patch(es)?

Top
#31396 - 10/04/14 11:57 AM Re: Shellshock – Bash-related Linux security bug [Re: grelber]
alternaut Offline

Moderator

Registered: 08/04/09
Yes, of course, thanks for pointing out those typos! blush

PS, I'll fix them to stop further confusion.
_________________________
alternaut moderator

Top
#31402 - 10/04/14 04:07 PM Re: Shellshock – Bash-related Linux security bug [Re: joemikeb]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: joemikeb
When I tried [the TenFour patch] on my Mac min running the Yosemite beta the system would not reboot and I ended up having to boot from the Yosemite Recovery Drive and reinstalling Yosemite to restore functionality.

FWIW, according to Francis Barr in today's Security Reader Report (MacInTouch Oct 4) 'the latest Yosemite 10.10 beta 4 updates bash from version 3.2.51 to 3.5.23* [...] suggesting that it has patched the Shellshocked vulnerabilities'.


*) 3.5.23 seems to be a typo, and should probably read 3.2.53.


Edited by alternaut (10/08/14 07:32 AM)
Edit Reason: marked probable typo in original quote
_________________________
alternaut moderator

Top
Page 1 of 2 1 2 >

Moderator:  alternaut, cyn