Diagnosing & Treating Bash "Shellshock"

ByMike Moffit

OS X is a descendant of a long lineage of UNIX operating systems, from which it inherits its incredible stability and enhanced security. However, the past two weeks have uncovered numerous bugs in a core piece of software relied on by many UNIX operating systems, OS X included: bash (Bourne-again shell). It turns out that these bugs have been very long standing and can be exploited in numerous ways to provide unchecked access to a computer (in some cases remotely) with an afflicted version of bash installed. Due to the surprise and scope of this vulnerability, many have dubbed it “Shellshock”, in reference to the combat fatigue experienced by soldiers, but it’s really not a fair comparison to the effects of war.

A “shell” is a program that interprets and acts on textual commands either entered directly by a user at a terminal (or using a virtual terminal like the Terminal app found in /Applications/Utilities on OS X) or from a file containing one or more commands to be run automatically (sort of like a player piano, if that’s even a useful analogy anymore.) Bash is a very common shell program and is the default on many UNIX operating systems, including OS X (as of Mac OS X 10.3 Panther). If you’ve ever opened up the Terminal app and run a command in the last decade, you’ve used bash.

I personally write a fair number of scripts in the bash language to automate various processes on my computers and servers, primarily because it so ubiquitous. It may be partly because I’m a bit of a masochist, but—as a server admin—I also find it helps me perform tasks more efficiently when working in Terminal since it is the default. Needless to say I immediately started investigating the bugs, the attacks, and testing OS X workstations and servers.

Fortunately, without very specific custom configuration, OS X is not vulnerable to remote attacks through the afflicted version of bash, as echoed in the following statement from Apple (given to Jim Dalrymple of The Loop):

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. […] With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.

None of the OS X 10.6 Snow Leopard through OS X 10.9 Mavericks systems I tested were vulnerable to remote attacks, however, all versions were susceptible to local attacks. The bugs are such that malicious commands can be inserted into “environment variables” (just what they sound like, data that exists in the environment in which individual shell scripts are run and therefore can be accessed by many scripts) and will be automatically executed upon any bash command or script being run. Not good. Since there are multiple bugs, there are different ways to test for each, but I find running the ‘bashcheck’ script to be very convenient way to test for all of them at once.

The bash developers and community have worked feverishly to investigate and fix these bugs. Apple has released “OS X bash Update 1.0” which includes fixes for the initial pair of bugs, but it unfortunately does not address subsequent bugs. As a further inconvenience, Apple does not provide this update via Software Update or the App Store, so you must download & install the appropriate update for your version of OS X:

OS X bash Update 1.0 – OS X Lion (10.7)
OS X bash Update 1.0 – OS X Mountain Lion (10.8)
OS X bash Update 1.0 – OS X Mavericks (10.9)

For those of you running Mac OS X 10.4 Tiger through 10.6 Snow Leopard on much older Macs, the developers of TenFourFox (an open-source version of the Firefox web browser specifically for older PPC & Intel Macs), provide a download along with detailed instructions to install a version of bash that fixes all the known vulnerabilities at this time. It does require command line experience, so is not for the faint of heart. The updated version provided by the TenFourFox team can also be used on OS X 10.7 Lion through 10.9 Mavericks and actually installs the very latest 4.3.x version of bash as opposed to the older 3.2.x version that Apple includes by default (and provided the partial fix for). This newer version of bash also has some benefits that programmers might enjoy, but it comes at the risk of possibly being downgraded by a future OS X update from Apple.

If you never use the Terminal app, I’d suggest you at least apply the appropriate version of “OS X bash Update 1.0” and any future updates that Apple might release to fix the additional vulnerabilities. For those of you who use Terminal with any frequency, you’ll want to proceed with caution and weigh the pros & cons of relying on Apple’s partial update or manually updating to the latest version of bash for your particular use.

Similar Posts

  • Create an AirPlay Speaker

    Apple’s AirPlay is one of the best technologies out there for media lovers. AirPlay allows you to control/play your favorite media to devices…

  • A Candle-Powered iPhone?

    If you’ve been reading Kibbles and Bytes over the past few months, you might have noticed I’ve written more than once about power…

  • Zoom and Voiceover in iOS

    Working at the Service Check-in Counter, I often have customers asking me how to get out of Zoom and/or Voiceover on their iOS devices. While most people have Zoom and Voiceover disabled, it still shows up now and again.

    If you have used Zoom, the image to the right may seem familiar. If this happens, you can try to enter your passcode and navigate to Settings to turn off Zoom but this can be difficult. An easier way out is a simple 3 finger tap twice which will Zoom you back out.

    If you have seen the image above, then you also must have experienced Voiceover. Instead of using your finger to select individual apps, the screen is sectioned into rectangles, and you select that shape as whole. It is very hard to navigate, and the whole time a voice is instructing your movement. Voiceover is helpful for the visually impaired, but can be a hinderance if turned on. You must navigate back to Settings > Accessibility and turn Voiceover off if you do not wish to use it. If you have the shortcut enabled, you can try triple clicking the home button. This will turn off Voiceover. I would recommend turning off both Zoom and Voiceover, unless of course you need them and are familiar with their commands.

  • iVote. Do You?

    With three months to go until the presidential election, the two major candidates are doing everything they can to get the message out….

  • Getting Ready for El Capitan

    Downloading the latest Mac OS this next week is the easy part. Unless you start the download when another 2 million people are doing the same thing, Apple makes the upgrade process very painless. And of course, it is free, too! There are some steps you should consider as you prepare for El Capitan to make it a smooth process.

    BACK UP!
    Yes, I am shouting! Back up your data all the time but especially whenever you are updating your operating system. We have talked endlessly about how fabulous Time Machine is as a tool to back up your data. DO IT NOW. Upgrading to El Capitan is a great excuse to make a fresh back up of your priceless data.

    Do you know who you are?

    Do you know your Apple ID and the password? You are going to need that to upgrade. It will be asked for when you start the download and you will also be asked for it during the El Capitan and iCould setup. If you wrote it down on that little scrap of paper that is somewhere in your wallet, now would be a good time to find it.

    How Old is Your Mac?

    Sorry, that old SE 30 will not support El Capitan so you should make sure that you know if your Mac will support the new operating system. Here’s a list of the supported machines:

    iMac (mid-2007 or newer)
    MacBook (late 2008 Aluminum, or early 2009 or newer)
    MacBook Air (late 2008 or newer)
    MacBook Pro (mid- to late 2007 or newer)
    Mac Mini (early 2009 or newer)
    Mac Pro (early 2008 or newer)

    If you do not know your model you can go under the Apple menu and select About This Mac and if you are running Yosemite you will see something like this screen shot that will show you the vintage of your Mac.

    RAM and Storage

    The two mostly commonly confused terms in technology. Well, you need enough of both memory and storage. In the case of memory, Apple recommends a minimum of 2GB, however; Small Dog Electronics would set that minimum at 4GB. I think you will find your experience with El Capitan to suffer with only 2GB. If your Mac’s memory can be upgraded, now might be a good time!

    Storage is also important. We always recommend that you have at least 10-15% of your hard drive or SSD drive free just for cases like this. The installation of a new operating system creates a lot of temporary files that need space to live before they are ultimately deleted by the installation. Apple says that El Capitan takes about 6GB and that you should have 8GB free. That is cutting it pretty close. I would recommend that you have a minimum of 10GB free and pay close attention to the 10-15% free space. Now would be an excellent time to purge some files and old stuff that you really don’t need – like that downloaded copy of the Sopranos last season.

    Are you up-to-date?

    Is there a number in the icon of the App store? Have you done all your updates for the operating system and apps? Developers have been optimizing their Apps for El Capitan for several months so doing all those updates before you upgrade to El Capitan may make things go easier for you, too!