Diagnosing & Treating Bash "Shellshock"

ByMike Moffit

OS X is a descendant of a long lineage of UNIX operating systems, from which it inherits its incredible stability and enhanced security. However, the past two weeks have uncovered numerous bugs in a core piece of software relied on by many UNIX operating systems, OS X included: bash (Bourne-again shell). It turns out that these bugs have been very long standing and can be exploited in numerous ways to provide unchecked access to a computer (in some cases remotely) with an afflicted version of bash installed. Due to the surprise and scope of this vulnerability, many have dubbed it “Shellshock”, in reference to the combat fatigue experienced by soldiers, but it’s really not a fair comparison to the effects of war.

A “shell” is a program that interprets and acts on textual commands either entered directly by a user at a terminal (or using a virtual terminal like the Terminal app found in /Applications/Utilities on OS X) or from a file containing one or more commands to be run automatically (sort of like a player piano, if that’s even a useful analogy anymore.) Bash is a very common shell program and is the default on many UNIX operating systems, including OS X (as of Mac OS X 10.3 Panther). If you’ve ever opened up the Terminal app and run a command in the last decade, you’ve used bash.

I personally write a fair number of scripts in the bash language to automate various processes on my computers and servers, primarily because it so ubiquitous. It may be partly because I’m a bit of a masochist, but—as a server admin—I also find it helps me perform tasks more efficiently when working in Terminal since it is the default. Needless to say I immediately started investigating the bugs, the attacks, and testing OS X workstations and servers.

Fortunately, without very specific custom configuration, OS X is not vulnerable to remote attacks through the afflicted version of bash, as echoed in the following statement from Apple (given to Jim Dalrymple of The Loop):

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. […] With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.

None of the OS X 10.6 Snow Leopard through OS X 10.9 Mavericks systems I tested were vulnerable to remote attacks, however, all versions were susceptible to local attacks. The bugs are such that malicious commands can be inserted into “environment variables” (just what they sound like, data that exists in the environment in which individual shell scripts are run and therefore can be accessed by many scripts) and will be automatically executed upon any bash command or script being run. Not good. Since there are multiple bugs, there are different ways to test for each, but I find running the ‘bashcheck’ script to be very convenient way to test for all of them at once.

The bash developers and community have worked feverishly to investigate and fix these bugs. Apple has released “OS X bash Update 1.0” which includes fixes for the initial pair of bugs, but it unfortunately does not address subsequent bugs. As a further inconvenience, Apple does not provide this update via Software Update or the App Store, so you must download & install the appropriate update for your version of OS X:

OS X bash Update 1.0 – OS X Lion (10.7)
OS X bash Update 1.0 – OS X Mountain Lion (10.8)
OS X bash Update 1.0 – OS X Mavericks (10.9)

For those of you running Mac OS X 10.4 Tiger through 10.6 Snow Leopard on much older Macs, the developers of TenFourFox (an open-source version of the Firefox web browser specifically for older PPC & Intel Macs), provide a download along with detailed instructions to install a version of bash that fixes all the known vulnerabilities at this time. It does require command line experience, so is not for the faint of heart. The updated version provided by the TenFourFox team can also be used on OS X 10.7 Lion through 10.9 Mavericks and actually installs the very latest 4.3.x version of bash as opposed to the older 3.2.x version that Apple includes by default (and provided the partial fix for). This newer version of bash also has some benefits that programmers might enjoy, but it comes at the risk of possibly being downgraded by a future OS X update from Apple.

If you never use the Terminal app, I’d suggest you at least apply the appropriate version of “OS X bash Update 1.0” and any future updates that Apple might release to fix the additional vulnerabilities. For those of you who use Terminal with any frequency, you’ll want to proceed with caution and weigh the pros & cons of relying on Apple’s partial update or manually updating to the latest version of bash for your particular use.

Similar Posts

  • My Thoughts on the AppleTV

    When Steve Jobs announced the new AppleTV on September 1st, 2010 I looked at my wife and said “My first free $100 is…

  • Here come the controllers!

    When I’m playing a game on my iPhone, there are times where I’m thinking, “you know what?” “actual buttons would make this game…

  • Keep Your Passwords!

    You have a password for the online banking, one for your Apple ID, one to log into your retirement amount. Your password for your bank has to have have at least one numeric number, but can’t start with a number and it can’t have any more than two of the same characters found in your username. Your retirement account must include at least 3 numbers and one special character but they can’t be consecutive.

    Does this sound familiar? In the perfect world we would only need one password, but unfortunately for security purposes and as hackers get better at what they do password strength has become critical and part of our everyday lives. The hassle with this is that most sites have their own sets of rules for password strength leaving many of us to peck away at our keyboards or devices in a sometimes endless game of “remember how you manipulated your favorite password 16 different ways and can’t remember if your banking site used the password with the capitalization or the one with the ampersand”.

    For a very long time I will admit my method of keeping track of my usernames and passwords was the stickies program on my Mac, much to the dismay of our IT manager! While stickies are easily accessed they are not secure and I do not recommend this method. Where you should keep them is in your keychain. You can access your keychain through applications and then utilities. Once you are in your keychain you can manually add preferred sites, accounts and passwords you wish to store. Another huge benefit is secure notes. Secure notes allow you store additional confidential information. Keychain is safe and secure because in order to view any of the passwords stored there you need to enter your administrator password. Within keychain you can make sure to safely and securely keep your passwords, and when you forget if you needed that capitalization or ampersand in your password you can simply open keychain and enter into the search field the website for which you need to confirm the password.

    Now what if you don’t have a mac? The loss of passwords, and most often your Apple ID password is a huge concern with users of iOS devices only. Luckily there is an easy solution for that, iCloud and iCloud keychain. Simply go to settings, iCloud and then select keychain. Your iOS device will begin to store your logins and websites. Additionally you can add specific websites and passwords manually to your phone or iPad under safari and then selecting passwords. This is also where you would look if you can’t remember login information.

    Recording safely your logins and passwords is an often overlooked step, especially when users of iOS devices accidentally have the device damaged or lost. Saving your passwords safely and using iCloud keychain can avert your being logged out of accounts.

  • Use Old iOS Devices as Security Cameras!

    Are you one of those people who have old iOS devices laying around your house just waiting to be brought to the recyclers or given to a friend in need? I have always kept my old devices as a backup in case I ever need to send my new one out for repair.

    For those of you planning on upgrading your iPhone, iPad or iPod touch soon, you might rethink selling or recycling it, and instead, turn it into a home security system. Huh? Yes, you heard me.

    With a new app by “*People Power*”:https://itunes.apple.com/us/app/presence-by-people-power/id618598211?mt=8 you can easily make an old iOS device your new home security system. The system supports the iPad 2 and newer, iPod touch (5th gen.) and newer and iPhone 3GS and newer.

    The app is called “*Presence*;”:http://peoplepowerco.com/products/ it’s free and it has some seriously great reviews. All you need to do is download the app on at least two devices, connect over Wi-Fi and set up your device in the desired spot you wish to watch. You can then set up specific alerts for when motion has been detected.

    The alerts might be for when your kids get home from school, if someone breaks into your apartment, or maybe you have elderly parents who you’d like to make sure are up and moving that day. Throw a waterproof case on the phone and you can set it up outside and get video clips to see what kind of animal is eating your freshly sprouted blueberries.

    People Power will soon have a subscription, allowing you to upgrade to Presence Pro for more storage and added features. Even if you don’t feel the need to monitor any activity going on, it might be fun just to play around with the app since it is free, and who knows, you may just find a cool use for it!