Diagnosing & Treating Bash "Shellshock"

ByMike Moffit

OS X is a descendant of a long lineage of UNIX operating systems, from which it inherits its incredible stability and enhanced security. However, the past two weeks have uncovered numerous bugs in a core piece of software relied on by many UNIX operating systems, OS X included: bash (Bourne-again shell). It turns out that these bugs have been very long standing and can be exploited in numerous ways to provide unchecked access to a computer (in some cases remotely) with an afflicted version of bash installed. Due to the surprise and scope of this vulnerability, many have dubbed it “Shellshock”, in reference to the combat fatigue experienced by soldiers, but it’s really not a fair comparison to the effects of war.

A “shell” is a program that interprets and acts on textual commands either entered directly by a user at a terminal (or using a virtual terminal like the Terminal app found in /Applications/Utilities on OS X) or from a file containing one or more commands to be run automatically (sort of like a player piano, if that’s even a useful analogy anymore.) Bash is a very common shell program and is the default on many UNIX operating systems, including OS X (as of Mac OS X 10.3 Panther). If you’ve ever opened up the Terminal app and run a command in the last decade, you’ve used bash.

I personally write a fair number of scripts in the bash language to automate various processes on my computers and servers, primarily because it so ubiquitous. It may be partly because I’m a bit of a masochist, but—as a server admin—I also find it helps me perform tasks more efficiently when working in Terminal since it is the default. Needless to say I immediately started investigating the bugs, the attacks, and testing OS X workstations and servers.

Fortunately, without very specific custom configuration, OS X is not vulnerable to remote attacks through the afflicted version of bash, as echoed in the following statement from Apple (given to Jim Dalrymple of The Loop):

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. […] With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.

None of the OS X 10.6 Snow Leopard through OS X 10.9 Mavericks systems I tested were vulnerable to remote attacks, however, all versions were susceptible to local attacks. The bugs are such that malicious commands can be inserted into “environment variables” (just what they sound like, data that exists in the environment in which individual shell scripts are run and therefore can be accessed by many scripts) and will be automatically executed upon any bash command or script being run. Not good. Since there are multiple bugs, there are different ways to test for each, but I find running the ‘bashcheck’ script to be very convenient way to test for all of them at once.

The bash developers and community have worked feverishly to investigate and fix these bugs. Apple has released “OS X bash Update 1.0” which includes fixes for the initial pair of bugs, but it unfortunately does not address subsequent bugs. As a further inconvenience, Apple does not provide this update via Software Update or the App Store, so you must download & install the appropriate update for your version of OS X:

OS X bash Update 1.0 – OS X Lion (10.7)
OS X bash Update 1.0 – OS X Mountain Lion (10.8)
OS X bash Update 1.0 – OS X Mavericks (10.9)

For those of you running Mac OS X 10.4 Tiger through 10.6 Snow Leopard on much older Macs, the developers of TenFourFox (an open-source version of the Firefox web browser specifically for older PPC & Intel Macs), provide a download along with detailed instructions to install a version of bash that fixes all the known vulnerabilities at this time. It does require command line experience, so is not for the faint of heart. The updated version provided by the TenFourFox team can also be used on OS X 10.7 Lion through 10.9 Mavericks and actually installs the very latest 4.3.x version of bash as opposed to the older 3.2.x version that Apple includes by default (and provided the partial fix for). This newer version of bash also has some benefits that programmers might enjoy, but it comes at the risk of possibly being downgraded by a future OS X update from Apple.

If you never use the Terminal app, I’d suggest you at least apply the appropriate version of “OS X bash Update 1.0” and any future updates that Apple might release to fix the additional vulnerabilities. For those of you who use Terminal with any frequency, you’ll want to proceed with caution and weigh the pros & cons of relying on Apple’s partial update or manually updating to the latest version of bash for your particular use.

Similar Posts

  • Here come the controllers!

    When I’m playing a game on my iPhone, there are times where I’m thinking, “you know what?” “actual buttons would make this game…

  • A Candle-Powered iPhone?

    If you’ve been reading Kibbles and Bytes over the past few months, you might have noticed I’ve written more than once about power…

  • iPad Goes Pro!

    Apple has released the iPad Pro and some of the first reviews are in. I haven’t had a chance to play with one yet but I think this new iPad pushes Apple into two markets for iPad that it has only brushed before. One is the enterprise market and the other is the creative market. My good friend Dave Sellers, is an architect and I often see him with yellow tracing paper sketching up new designs for whatever harebrained scheme he might be working on. I told him about the new iPad Pro and the Pencil and I know I will want to get that into his hands as soon as possible to see if that old guy can do some magic on this new technology. The business or enterprise market for iPad is blossoming with Apple’s partnership with IBM and Cisco and the iPad Pro is going to push that window even further.

    When Apple announced the iPad Pro with its A9X chip, they stated that it would be faster than 80 percent of the PCs that shipped this year. It appears to be true and the $799 base model iPad Pro is faster and more powerful than the $899 Microsoft Surface Pro 4. But speed is not the whole picture. With 5.6 million pixels the 12.9 inch Retina display is the highest resolution of any iOS device. It is a fully laminated display with anti-reflective coating and technologies like Photo Alignment and Oxide TFT to deliver rich contrast, stunning color and deeper blacks.

    One would expect the first generation of the iPad Pro to be a bit clunky in size but at just 6.9mm thick and about a pound and a half, it is a very thin and lightweight powerhouse. The iPad Pro features four speakers which will give you amazing sound and more than three times the sound output of any iPad. The speakers are orientation savvy so whether you are in landscape or portrait mode the low frequencies play on all four speakers and the higher frequencies play for the top.

    iOS 9 was built for the iPad Pro and this new iPad takes advantage of the multitasking, split view, picture-in-a-picture, Siri and Spotlight search capabilities of iOS9. Touch ID makes your new iPad Pro more secure and easy to use and with iSight and FaceTime cameras those of you that like to take photos with a giant iPad can do so.

    The Smart Keyboard is probably the feature that might make this iPad replace a Mac for some. It is a full size keyboard that is water and stain resistant and very thin. It does not require Bluetooth and connects via the iPad Pro’s Smart Connector. This provides a connection for both power and data. It is not just some third-party keyboard paired to the iPad Pro; this Apple-designed keyboard is fully integrated into the iPad Pro and iOS9. Steve Jobs once said that he saw no need for a stylus because we all have ten pointing devices, called fingers. I don’t think he rolled over in his grave when Apple introduced the Pencil because it is not designed to be a pointing device but rather as a drawing device. It is weighted but won’t roll off the desk and the Pencil is sensitive to both tilt and pressure allowing your creative impulses to flow from the thinnest line to deep shading. I am no artist but I can’t wait to see some of the digital art produced with the combination of the iPad Pro and the new Pencil.

    I hope to give you some first-hand feedback soon on this new member of the iPad family!

  • APP REVIEW: Limbo

    Limbo: perfect game for Halloween night (or any other night actually)! Limbo, by Playdead, is probably one of my favorite games of all…

  • Migrate Your Data to a New Mac

    When a customer buys a new Mac, there’s often a question of what to do about the old data. All that old data is all that stuff that made your old machine yours: it’s the settings, the pictures, saved web page bookmarks, documents, spreadsheets…all that stuff.

    Frequently a Mac-to-Mac data transfer can be done without any special equipment or advanced knowledge. The easiest way is to use Apple’s Migration Assistant which is a program built into OS X, and is on every new Mac. When setting up a new Mac (or any Mac that’s been reset to factory settings, generally from the disk being wiped and the OS being reinstalled) it’ll prompt you to make a decision.

    The top option is to transfer data from a start up disk or Time Machine backup. If you’re already doing a Time Machine backup to an external HDD this is the best option, just make sure your backup is completely up to date. If it’s behind, any changes you’ve made won’t show up on your new machine when the transfer completes. Once you’ve identified the drive you want the data to come from it goes through and calculates the sizes of everything on that older drive. You’ve got a little control of what comes over, like whether or not you want the entire Applications folder, but nothing more specific than that. It’ll also tell you how much available space will be left over, or if there’s more data on the source drive than the destination.

    I recommend using a Time Machine backup drive (any external HDD that has a Time Machine backup on it) because it’ll be useful for backups on the new machine. It’ll even see that it’s a new machine that has all the same data and ask if you want to keep using the same Time Machine backup; this is call inheriting.

    Alternatively, you can put the source machine into Target Disk Mode by pressing the T key when the machine is booting and having it connected to the destination machine through Thunderbolt or FireWire. Target disk mode only works through Thunderbolt and FireWire, don’t bother trying anything else. I’ve wasted enough time for us all: it’s not supported. If you’re transferring data from a machine with FireWire but no Thunderbolt to a new Mac that only has Thunderbolt you can get a Thunderbolt to Firewire adapter, but that’ll run you $30 and you might not have another use for it after the data migration. You could also use a Thunderbolt cable, but that’ll also run you at least $30, and again, you might not have another use for it, that’s why I recommend an external HDD. If you’re not doing a backup, it’s worth the peace of mind, and simplifies data transfers.

  • Create an AirPlay Speaker

    Apple’s AirPlay is one of the best technologies out there for media lovers. AirPlay allows you to control/play your favorite media to devices…