Diagnosing & Treating Bash "Shellshock"

ByMike Moffit

OS X is a descendant of a long lineage of UNIX operating systems, from which it inherits its incredible stability and enhanced security. However, the past two weeks have uncovered numerous bugs in a core piece of software relied on by many UNIX operating systems, OS X included: bash (Bourne-again shell). It turns out that these bugs have been very long standing and can be exploited in numerous ways to provide unchecked access to a computer (in some cases remotely) with an afflicted version of bash installed. Due to the surprise and scope of this vulnerability, many have dubbed it “Shellshock”, in reference to the combat fatigue experienced by soldiers, but it’s really not a fair comparison to the effects of war.

A “shell” is a program that interprets and acts on textual commands either entered directly by a user at a terminal (or using a virtual terminal like the Terminal app found in /Applications/Utilities on OS X) or from a file containing one or more commands to be run automatically (sort of like a player piano, if that’s even a useful analogy anymore.) Bash is a very common shell program and is the default on many UNIX operating systems, including OS X (as of Mac OS X 10.3 Panther). If you’ve ever opened up the Terminal app and run a command in the last decade, you’ve used bash.

I personally write a fair number of scripts in the bash language to automate various processes on my computers and servers, primarily because it so ubiquitous. It may be partly because I’m a bit of a masochist, but—as a server admin—I also find it helps me perform tasks more efficiently when working in Terminal since it is the default. Needless to say I immediately started investigating the bugs, the attacks, and testing OS X workstations and servers.

Fortunately, without very specific custom configuration, OS X is not vulnerable to remote attacks through the afflicted version of bash, as echoed in the following statement from Apple (given to Jim Dalrymple of The Loop):

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. […] With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.

None of the OS X 10.6 Snow Leopard through OS X 10.9 Mavericks systems I tested were vulnerable to remote attacks, however, all versions were susceptible to local attacks. The bugs are such that malicious commands can be inserted into “environment variables” (just what they sound like, data that exists in the environment in which individual shell scripts are run and therefore can be accessed by many scripts) and will be automatically executed upon any bash command or script being run. Not good. Since there are multiple bugs, there are different ways to test for each, but I find running the ‘bashcheck’ script to be very convenient way to test for all of them at once.

The bash developers and community have worked feverishly to investigate and fix these bugs. Apple has released “OS X bash Update 1.0” which includes fixes for the initial pair of bugs, but it unfortunately does not address subsequent bugs. As a further inconvenience, Apple does not provide this update via Software Update or the App Store, so you must download & install the appropriate update for your version of OS X:

OS X bash Update 1.0 – OS X Lion (10.7)
OS X bash Update 1.0 – OS X Mountain Lion (10.8)
OS X bash Update 1.0 – OS X Mavericks (10.9)

For those of you running Mac OS X 10.4 Tiger through 10.6 Snow Leopard on much older Macs, the developers of TenFourFox (an open-source version of the Firefox web browser specifically for older PPC & Intel Macs), provide a download along with detailed instructions to install a version of bash that fixes all the known vulnerabilities at this time. It does require command line experience, so is not for the faint of heart. The updated version provided by the TenFourFox team can also be used on OS X 10.7 Lion through 10.9 Mavericks and actually installs the very latest 4.3.x version of bash as opposed to the older 3.2.x version that Apple includes by default (and provided the partial fix for). This newer version of bash also has some benefits that programmers might enjoy, but it comes at the risk of possibly being downgraded by a future OS X update from Apple.

If you never use the Terminal app, I’d suggest you at least apply the appropriate version of “OS X bash Update 1.0” and any future updates that Apple might release to fix the additional vulnerabilities. For those of you who use Terminal with any frequency, you’ll want to proceed with caution and weigh the pros & cons of relying on Apple’s partial update or manually updating to the latest version of bash for your particular use.

Similar Posts

  • iPhone is #1!

    International Data Corporation (IDC), a technology market research firm with over 1,000 analysts in 50 countries, has released its quarterly report on global…

  • Hulu Plus Now Available On Apple TV

    There has been a lot of talk about the Apple TV recently thanks to the addition of AirPlay Mirroring functionality to Mountain Lion….

  • iVote. Do You?

    With three months to go until the presidential election, the two major candidates are doing everything they can to get the message out….

  • The way it should look…

    I’ve worked here for over 5 years and the iPhone 5 was my first iPhone (I know). When I got my iPhone 5…

  • Seven Siri Tricks

    Siri is great for resolving trivia disputes, setting reminders and even texting or sending email but Siri is also a talented assistant. Here’s a few of the more non-intuitive tasks Siri can accomplish:

    1) Split up that restaurant bill and add a tip

    Ask Siri “What’s a 20% tip on a $105 bill split among 3 people and Siri will not only tell you what the total tip would be but also how much each of the 3 owes.

    2) Flip a coin

    Siri will bail you out if you do not have a coin to flip if you ask her to flip a coin. Or if you are killing time and want to play dice, ask Siri to “throw the dice”.

    3) Counting Calories

    Siri can help! Ask Siri how many calories are in that Big Mac and Siri will tell you that you are consuming 520 calories.

    4) Take a Selfie

    Ready to take that selfie and find yourself looking for the camera app? Just tell Siri to take a selfie and boom!, the camera app will open. Siri isn’t smart enough, yet, to ensure you have the front facing camera active so you might have to click that first.

    5) Name that Tune

    Siri integrates with Shazam to listen to the music. Ask Siri “What is this song?” and with some help from Shazam, Siri will let you know and if you click on the result it will play that song if you are a subscriber to Apple Music.

    6) Find your Friends

    If you use the Find My Friends app you can ask Siri to find them by asking “Where’s my wife?” and assuming that your wife has agreed to share her location in the Find My Friends app, Siri will let you know where she is.

    7) Convert Currency

    If you are traveling out of the country you can use Siri to make those currency conversions. Asking Siri “What is 100 euros worth?” today reveals it is worth $112.49.