Diagnosing & Treating Bash "Shellshock"

ByMike Moffit

OS X is a descendant of a long lineage of UNIX operating systems, from which it inherits its incredible stability and enhanced security. However, the past two weeks have uncovered numerous bugs in a core piece of software relied on by many UNIX operating systems, OS X included: bash (Bourne-again shell). It turns out that these bugs have been very long standing and can be exploited in numerous ways to provide unchecked access to a computer (in some cases remotely) with an afflicted version of bash installed. Due to the surprise and scope of this vulnerability, many have dubbed it “Shellshock”, in reference to the combat fatigue experienced by soldiers, but it’s really not a fair comparison to the effects of war.

A “shell” is a program that interprets and acts on textual commands either entered directly by a user at a terminal (or using a virtual terminal like the Terminal app found in /Applications/Utilities on OS X) or from a file containing one or more commands to be run automatically (sort of like a player piano, if that’s even a useful analogy anymore.) Bash is a very common shell program and is the default on many UNIX operating systems, including OS X (as of Mac OS X 10.3 Panther). If you’ve ever opened up the Terminal app and run a command in the last decade, you’ve used bash.

I personally write a fair number of scripts in the bash language to automate various processes on my computers and servers, primarily because it so ubiquitous. It may be partly because I’m a bit of a masochist, but—as a server admin—I also find it helps me perform tasks more efficiently when working in Terminal since it is the default. Needless to say I immediately started investigating the bugs, the attacks, and testing OS X workstations and servers.

Fortunately, without very specific custom configuration, OS X is not vulnerable to remote attacks through the afflicted version of bash, as echoed in the following statement from Apple (given to Jim Dalrymple of The Loop):

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. […] With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.

None of the OS X 10.6 Snow Leopard through OS X 10.9 Mavericks systems I tested were vulnerable to remote attacks, however, all versions were susceptible to local attacks. The bugs are such that malicious commands can be inserted into “environment variables” (just what they sound like, data that exists in the environment in which individual shell scripts are run and therefore can be accessed by many scripts) and will be automatically executed upon any bash command or script being run. Not good. Since there are multiple bugs, there are different ways to test for each, but I find running the ‘bashcheck’ script to be very convenient way to test for all of them at once.

The bash developers and community have worked feverishly to investigate and fix these bugs. Apple has released “OS X bash Update 1.0” which includes fixes for the initial pair of bugs, but it unfortunately does not address subsequent bugs. As a further inconvenience, Apple does not provide this update via Software Update or the App Store, so you must download & install the appropriate update for your version of OS X:

OS X bash Update 1.0 – OS X Lion (10.7)
OS X bash Update 1.0 – OS X Mountain Lion (10.8)
OS X bash Update 1.0 – OS X Mavericks (10.9)

For those of you running Mac OS X 10.4 Tiger through 10.6 Snow Leopard on much older Macs, the developers of TenFourFox (an open-source version of the Firefox web browser specifically for older PPC & Intel Macs), provide a download along with detailed instructions to install a version of bash that fixes all the known vulnerabilities at this time. It does require command line experience, so is not for the faint of heart. The updated version provided by the TenFourFox team can also be used on OS X 10.7 Lion through 10.9 Mavericks and actually installs the very latest 4.3.x version of bash as opposed to the older 3.2.x version that Apple includes by default (and provided the partial fix for). This newer version of bash also has some benefits that programmers might enjoy, but it comes at the risk of possibly being downgraded by a future OS X update from Apple.

If you never use the Terminal app, I’d suggest you at least apply the appropriate version of “OS X bash Update 1.0” and any future updates that Apple might release to fix the additional vulnerabilities. For those of you who use Terminal with any frequency, you’ll want to proceed with caution and weigh the pros & cons of relying on Apple’s partial update or manually updating to the latest version of bash for your particular use.

Similar Posts

  • Bouncing Lions

    I love Lion. So far it is my favorite iteration of Mac OS X, but it does have some annoying features. In my internet wanderings yesterday I came across an article with instructions on how to get rid of the rubber-band effect which occurs when you scroll to the very bottom or top of a page. This effect will make the page scroll a little bit past the end point then bounce back. It’s a nice little bit of eye-candy, but not really necessary.

    You can easily turn this effect off by entering a simple Terminal command (which I’ll list below) and then press “enter”. As always, do this at your own risk. Mucking about in Terminal can cause irreparable harm to your OS if you do something you shouldn’t. Make sure you have a good backup before you make any changes like this to your system. Here’s the text you need to enter:

    defaults write -g NSScrollViewRubberbanding -int 0

    You can revert to the original setting by entering the following and then press enter:

    defaults delete -g NSScrollViewRubberbanding

    You’ll need to relaunch any applications that display the rubber-banding in order for this to take effect. Unfortunately, it will not affect Safari. Should I find a way to get rid of the rubber-band in Safari, I’ll update this article.

    You can read the original article here.

  • New Magic

    Along with the new iMacs Apple also introduced the Magic Mouse 2, Magic Keyboard and the Magic Trackpad 2. The Magic Mouse 2 and Magic Keyboard 2 come standard with the iMac.

    The first thing you might notice about these new input devices is that they no longer require disposable batteries, but rather have built-in lithium-ion batteries and a lightning port to charge your device. It will require a little change in habits because you don’t want to be right in the middle of important work and find that your battery is dead. Fortunately, they charge up fast and will give you plenty of warning with the battery is low. As an example, a two-hour charge on the Magic Keyboard will last about a month.

    The other important thing to note about these new input devices is that they REQUIRE OS X 10.11 El Capitan.

    Magic Keyboard

    With the same technology used in the MacBook’s keyboard the new Magic Keyboard features a lower profile design that delivers full sized keyboard function while taking up 13% less space. The back of the keyboard features a Lightning port, and on/off switch and the Bluetooth antenna window. The Magic Keyboard and all of these new input devices feature “automatic pairing”. Basically this means that you plug in the included lightning cable to the USB port on your Mac and you are paired. No more typing codes or putting the device in discoverable mode.

    You can charge the Magic Keyboard by plugging it into your Mac and continue to use the keyboard as a wired keyboard until it is charged, too. Unplug it and it automatically switches over to Bluetooth.

    The Magic Keyboard is $99.

    Magic Mouse 2

    The major improvement to the Magic Mouse is the built-in rechargeable lithium-ion battery. There is now a lightning port on the bottom of the mouse to charge the Magic Mouse 2. Fortunately, the Magic Mouse 2 fully charges in about 2 hours but if you are in a bind you can plug it in for just 2 minutes or so and get a full day’s use from the Magic Mouse 2.

    There are numerous internal improvements with fewer moving parts. The newly shaped feet should give the Magic Mouse 2 superior gliding and tracking.

    The Magic Mouse 2 sells for $79

    Magic Trackpad 2

    The Magic Trackpad 2 has had the most changes of these input devices. It also features a built-in rechargeable lithium-ion battery that fully charges in about 2 hours and will provide about a month of typical use. It features a 29% larger surface area than the original Magic Trackpad.

    Most importantly, Force Touch is now available! Force sensors detect how hard you press and then tell your Mac what to do based upon these subtle differences in pressure. The Magic Trackpad 2 incorporates the Taptic Engine that provides you with tactile feedback when you activate Force Touch. Force Touch also lets you click anywhere on the trackpad with equal sensitivity.

    Force Touch is being supported by more and more Apps and you can use it to find word definitions, Force click on a date in email or messages and Calendar will pop up so you can create a new event. Force click on an address in that same email and up pops Maps to show you how to get there.

    The back of the Magic Trackpad 2 has an on/off switch, Lightning port and Bluetooth antenna window.

    I am really looking forward to giving this new Magic Trackpad a work out and will report back to Kibbles & Bytes readers.

    The Magic Trackpad 2 sells for $129

  • iVote. Do You?

    With three months to go until the presidential election, the two major candidates are doing everything they can to get the message out….

  • My Thoughts on the AppleTV

    When Steve Jobs announced the new AppleTV on September 1st, 2010 I looked at my wife and said “My first free $100 is…

  • iPad Goes Pro!

    Apple has released the iPad Pro and some of the first reviews are in. I haven’t had a chance to play with one yet but I think this new iPad pushes Apple into two markets for iPad that it has only brushed before. One is the enterprise market and the other is the creative market. My good friend Dave Sellers, is an architect and I often see him with yellow tracing paper sketching up new designs for whatever harebrained scheme he might be working on. I told him about the new iPad Pro and the Pencil and I know I will want to get that into his hands as soon as possible to see if that old guy can do some magic on this new technology. The business or enterprise market for iPad is blossoming with Apple’s partnership with IBM and Cisco and the iPad Pro is going to push that window even further.

    When Apple announced the iPad Pro with its A9X chip, they stated that it would be faster than 80 percent of the PCs that shipped this year. It appears to be true and the $799 base model iPad Pro is faster and more powerful than the $899 Microsoft Surface Pro 4. But speed is not the whole picture. With 5.6 million pixels the 12.9 inch Retina display is the highest resolution of any iOS device. It is a fully laminated display with anti-reflective coating and technologies like Photo Alignment and Oxide TFT to deliver rich contrast, stunning color and deeper blacks.

    One would expect the first generation of the iPad Pro to be a bit clunky in size but at just 6.9mm thick and about a pound and a half, it is a very thin and lightweight powerhouse. The iPad Pro features four speakers which will give you amazing sound and more than three times the sound output of any iPad. The speakers are orientation savvy so whether you are in landscape or portrait mode the low frequencies play on all four speakers and the higher frequencies play for the top.

    iOS 9 was built for the iPad Pro and this new iPad takes advantage of the multitasking, split view, picture-in-a-picture, Siri and Spotlight search capabilities of iOS9. Touch ID makes your new iPad Pro more secure and easy to use and with iSight and FaceTime cameras those of you that like to take photos with a giant iPad can do so.

    The Smart Keyboard is probably the feature that might make this iPad replace a Mac for some. It is a full size keyboard that is water and stain resistant and very thin. It does not require Bluetooth and connects via the iPad Pro’s Smart Connector. This provides a connection for both power and data. It is not just some third-party keyboard paired to the iPad Pro; this Apple-designed keyboard is fully integrated into the iPad Pro and iOS9. Steve Jobs once said that he saw no need for a stylus because we all have ten pointing devices, called fingers. I don’t think he rolled over in his grave when Apple introduced the Pencil because it is not designed to be a pointing device but rather as a drawing device. It is weighted but won’t roll off the desk and the Pencil is sensitive to both tilt and pressure allowing your creative impulses to flow from the thinnest line to deep shading. I am no artist but I can’t wait to see some of the digital art produced with the combination of the iPad Pro and the new Pencil.

    I hope to give you some first-hand feedback soon on this new member of the iPad family!