Diagnosing & Treating Bash "Shellshock"

ByMike Moffit

OS X is a descendant of a long lineage of UNIX operating systems, from which it inherits its incredible stability and enhanced security. However, the past two weeks have uncovered numerous bugs in a core piece of software relied on by many UNIX operating systems, OS X included: bash (Bourne-again shell). It turns out that these bugs have been very long standing and can be exploited in numerous ways to provide unchecked access to a computer (in some cases remotely) with an afflicted version of bash installed. Due to the surprise and scope of this vulnerability, many have dubbed it “Shellshock”, in reference to the combat fatigue experienced by soldiers, but it’s really not a fair comparison to the effects of war.

A “shell” is a program that interprets and acts on textual commands either entered directly by a user at a terminal (or using a virtual terminal like the Terminal app found in /Applications/Utilities on OS X) or from a file containing one or more commands to be run automatically (sort of like a player piano, if that’s even a useful analogy anymore.) Bash is a very common shell program and is the default on many UNIX operating systems, including OS X (as of Mac OS X 10.3 Panther). If you’ve ever opened up the Terminal app and run a command in the last decade, you’ve used bash.

I personally write a fair number of scripts in the bash language to automate various processes on my computers and servers, primarily because it so ubiquitous. It may be partly because I’m a bit of a masochist, but—as a server admin—I also find it helps me perform tasks more efficiently when working in Terminal since it is the default. Needless to say I immediately started investigating the bugs, the attacks, and testing OS X workstations and servers.

Fortunately, without very specific custom configuration, OS X is not vulnerable to remote attacks through the afflicted version of bash, as echoed in the following statement from Apple (given to Jim Dalrymple of The Loop):

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. […] With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.

None of the OS X 10.6 Snow Leopard through OS X 10.9 Mavericks systems I tested were vulnerable to remote attacks, however, all versions were susceptible to local attacks. The bugs are such that malicious commands can be inserted into “environment variables” (just what they sound like, data that exists in the environment in which individual shell scripts are run and therefore can be accessed by many scripts) and will be automatically executed upon any bash command or script being run. Not good. Since there are multiple bugs, there are different ways to test for each, but I find running the ‘bashcheck’ script to be very convenient way to test for all of them at once.

The bash developers and community have worked feverishly to investigate and fix these bugs. Apple has released “OS X bash Update 1.0” which includes fixes for the initial pair of bugs, but it unfortunately does not address subsequent bugs. As a further inconvenience, Apple does not provide this update via Software Update or the App Store, so you must download & install the appropriate update for your version of OS X:

OS X bash Update 1.0 – OS X Lion (10.7)
OS X bash Update 1.0 – OS X Mountain Lion (10.8)
OS X bash Update 1.0 – OS X Mavericks (10.9)

For those of you running Mac OS X 10.4 Tiger through 10.6 Snow Leopard on much older Macs, the developers of TenFourFox (an open-source version of the Firefox web browser specifically for older PPC & Intel Macs), provide a download along with detailed instructions to install a version of bash that fixes all the known vulnerabilities at this time. It does require command line experience, so is not for the faint of heart. The updated version provided by the TenFourFox team can also be used on OS X 10.7 Lion through 10.9 Mavericks and actually installs the very latest 4.3.x version of bash as opposed to the older 3.2.x version that Apple includes by default (and provided the partial fix for). This newer version of bash also has some benefits that programmers might enjoy, but it comes at the risk of possibly being downgraded by a future OS X update from Apple.

If you never use the Terminal app, I’d suggest you at least apply the appropriate version of “OS X bash Update 1.0” and any future updates that Apple might release to fix the additional vulnerabilities. For those of you who use Terminal with any frequency, you’ll want to proceed with caution and weigh the pros & cons of relying on Apple’s partial update or manually updating to the latest version of bash for your particular use.

Similar Posts

  • iPhone is #1!

    International Data Corporation (IDC), a technology market research firm with over 1,000 analysts in 50 countries, has released its quarterly report on global…

  • New Year, New You

    …OK, so that’s a little hokey. I’m of the belief that a few resolutions are a good thing, but that they shouldn’t be…

  • App Review: Tetris Blitz

    2014 marks the 30th anniversary of the most important technological development of all time: Tetris. There are probably many of you out there that will insist that the Macintosh computer was the most important tech release of 1984, and I will grant that it is a close second, but I am still standing behind the classic tile-matching puzzle video game.

    For those of you who don’t know, Tetris is a very simple game in which any of seven different blocks, which are every possible combination of four smaller square blocks that have adjoining sides, fall from above and your job is to move them side-to-side and/or rotate them in order to complete horizontal lines which disappear when completed. The ultimate move is to leave only one vertical line incomplete and drop the “line” piece in to complete four horizontal lines at once. This is a Tetris and you will be rewarded with big points, flashing graphics, sound effects, and the satisfaction of a job well done.

    Tetris was originally developed by Alexey Pajitnov in the Soviet Union, and was the first video game exported from the USSR to the US. Its popularity skyrocketed when a version was released for the Nintendo GameBoy in 1989, and versions have since been released for just about every console, operating system, personal electronic device, and has even been played by using the windows in a large building as the blocks.

    While the 8-bit NES version will always be my favorite, I have been playing a new version on my iPhone: “*Tetris Blitz by Electronic Arts.*”:https://itunes.apple.com/us/app/tetris-blitz/id632827808?mt=8&at=11lb7k This version takes the classic gameplay and condenses it into a two-minute speed round in which the goal is to score maximum points. They have added a number of power-up blocks which trigger different actions, such as lasers that burn up several lines for you or masses of blocks that drop all at once. You can play in single player mode, head-to-head against strangers or your Facebook friends, as well as in special tournaments which often have different rules or game mechanics for added variety. This app is free, but employs what has come to be known as the freemium model, which means that there are a fair number of in-app ads and in-app purchases that are available. If you can learn to ignore these, this app is a fun addition to the Tetris family and only -wastes- uses two minutes at a time.

    The best part? Tetris is good for you! According to research, playing half-an-hour a day for three months boosts general cognitive functions such as critical thinking, reasoning, language and processing and increases cerebral cortex thickness. It has also been shown to be a potential therapy for preventing PTSD as well as a way to help quit smoking. “*See here for more information.*”:http://en.wikipedia.org/wiki/Tetris#Effect_of_Tetris_on_the_brain

    “*Download Tetris Blitz for iOS FREE here!*”:https://itunes.apple.com/us/app/tetris-blitz/id632827808?mt=8&at=11lb7k

  • Soapbox: Refugees, Fear and Who We Are

    If the sadness and shock of the terrorist attacks in Paris were not enough, I was in shock this week as Islamaphobia and fear overwhelmed politicians and citizens. Some politicians were tripping over themselves to stoke the flames of fear by turning on the Syrian refugees. I don’t know about you but if I lived in Syria and there was a war in my neighborhood with madmen from both sides going berserk, I’d be a refugee, too. Oh, by the way, did you know that Steve Jobs father was a Syrian refugee?

    This was seemingly fueled by what turns out to be a very sketchy report that one of the terrorists posed as a refugee. That has since been discredited but the conclusion jumping was already in full swing. Some politicians tried even to separate their distain for refugees by religion but there is no religion that makes terrorism its creed and there have been terrorist from many religions. It is when hypocritical fanatics of any religion feel that they can impose their will upon others that conflicts arise.

    Way back when the USA was young, our friends in France sent us a gift. The Statue of Liberty proudly stands by our shores with the inscription that defines who we are as a nation:

    Give me your tired, your poor,
    Your huddled masses, yearning to be free,
    The wretched refuse of your teeming shore,
    Send these, the homeless, tempest tost to me,
    I lift my lamp beside the golden door.

    When we succumb to the fear the terrorists win. When we change who we are, the terrorists have won. When we let prejudice trump common sense, the terrorists have won. We must lead by example and the example of shunning refugees is the wrong one. In the height of the worst terror since WWII, President Hollande of France recommitted to taking Syrian refugees saying “We have to reinforce our borders while remaining true to our values.”

    We cannot change who we are – unless you are a native American, you are a descendant of refugees and immigrants. This anti-immigrant, anti-Islam, anti-refugee wave of fear is unAmerican and is born of ignorance and hate.

    How do you feel about this trend towards exclusion of refugees and immigrants? Share your opinion at our blog – blog.smalldog.com

    End Soapbox

  • Go Wireless!

    I am a huge fan of wireless technology. I have been slowly updating my home office to be as wireless as I can with speakers from Sonos and all of my computer accessories from my keyboard to printer are wireless as well. One area that I had not ventured into yet has been wireless headphones. I am often working at home, and because my office space is part of my main living space, I often have to have headphones while working. It was only recently that I started to use wireless headphones and frankly I can’t believe I hadn’t started to use this technology sooner! Urbanears has a bluetooth option in their popular Plattan line up, the Plattan ADV. I was able to easily link the headphones to my computer and no longer felt tethered to my desk when working. With the bluetooth headphones I could easily leave my desk for a glass of water or to let dogs out without missing a beat. The battery easily lasts all day and unlike some other bluetooth headphones, you can easily plug them into your computer or device directly with a cable should you forget to charge them. I also linked up these headphones to one of my iPads. These headphones allow you to have them linked with up to 8 devices, so you can easily use them from one device to the next without having to pair and unpair constantly.

    Over the ear headphones are great for around the home and office, but not the most practical when you’re exercising. As mentioned a few weeks ago I have begun trying to get out and move more in recent weeks, and carrying my iPhone in my hand or pocket when out for a run was becoming a bit of an annoyance. The Ourdoor Tech Orcas are the perfect solution. With the bluetooth on my Apple Watch I easily paired these headphones with my watch, synced a playlist to my watch and left my phone behind! The headphones are lightweight and comfortable. I am not a fan of in ear headphones and I was skeptical that these headphones would work well for me, but I was pleasantly surprised by how well they stayed in my ears and with the quality of the sound. Many in ear headphones begin to wiggle out of your ears or provide sub par sound quality, but these headphones have truly made me change the way I think of in-ear headphones. As an added bonus they also feature a built in microphone. This feature isn’t something that I can say I have taken advantage of, but it’s certainly nice to know I could take a call if I needed to.

  • Create an AirPlay Speaker

    Apple’s AirPlay is one of the best technologies out there for media lovers. AirPlay allows you to control/play your favorite media to devices…