Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug OS X Open Source Security

Apple Fixes Shellshock In OS X 174

jones_supa (887896) writes Apple has released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the "Shellshock" bug in the Bash shell. Bash, which is the default shell for many Linux-based operating systems, has been updated two times to fix the bug, and many Linux distributions have already issued updates to their users. When installed on an OS X Mavericks system, the patch upgrades the Bash shell from version 3.2.51 to version 3.2.53. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on the system first. An Apple representative told Ars Technica that OS X Yosemite, the upcoming version of OS X, will receive the patch later.
This discussion has been archived. No new comments can be posted.

Apple Fixes Shellshock In OS X

Comments Filter:
  • by Anonymous Coward on Tuesday September 30, 2014 @07:47AM (#48026323)

    I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?

    • by kybred ( 795293 ) on Tuesday September 30, 2014 @07:54AM (#48026363)

      I downloaded and installed this update. It updates bash to version 3.2.53(1), but a patch to version 3.2.54(1) is available on gnu.org. I'm guessing that there will be more updates since additional issues with the parsing in bash have been (are being) found.

    • by Tarlus ( 1000874 )

      I think Apple is a little leery about being too quick to release patches these days...

      • probably waiting for everyone else to fix it first so its an easy job
      • Yeah, I guess they're worried it will mess up their cloud or phone calls or something. :-P

    • often the patches are rolled out over the course of a day to prevent overwhelming the servers. no bigs.
      • And at 3.3M they may as well just push it out rather than delaying it. A couple of checks will be more costly than just letting everyone download it straight away.

    • by tlhIngan ( 30335 ) <slashdot.worf@net> on Tuesday September 30, 2014 @10:29AM (#48027533)

      I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?

      Because of many reasons.

      First off, the patch isn't complete. Sure there was a patch last week, but did you know it didn't fix the problem? Yes, it fixed the obvious error, but there were still more (and new CVE was opened for Shellshock). Bash devs are still finding more holes related to this issue, and it goes down a deep rabbit hole. This hole may never be full patched for a long time.

      Second, there aren't many OS X systems that are exploitable. Remote exploits require a server to take parameters, format them as environment variables and then call the shell (usually through system()). HTTP and CGI scripts are a common vector because that's exactly how they work. Most webservers out there run Linux and there really isn't a special reason to run OS X + httpd + CGI over running it on Linux especially on a public server. So for the scant few servers, those admins can update the shell.

      And on OS X, the webserver is disabled by default and most users won't know how to turn it on. I don't think even OS X server has it on by default - given the server is really just a bunch of admin tools nowadays.

      Third, well, I don't think many OS X apps actually bother using a call like system() to perform a task - there's probably a native Cocoa API that is supposed to be used instead.

      So it's more of a hotpatch for those few machines that are potentially vulnerable. In fact, the patch that was provided last week wasn't fixing the issue, more working around the issue so it's harder to exploit (i.e., instead of an arbitrary variable containing a function, it has to be prefixed with _BASH_FUNC_ in order to be allowed as a definition).

      There is currently no root-cause fix for the issue - it's actively being worked on by Bash developers and others. This isn't like heartbleed where the mistake was a little programming oversight - it's a full on design issue that dates back 20+ years. There are probably going to be dozens of patches to fix the issue in the end.

      • > it has to be prefixed with _BASH_FUNC_ in order to be allowed as a definition)

        What's stopping me passing _BASH_FUNC_ in a HTTP request to a BASH CGI script?

    • by wwphx ( 225607 )
      The suspicion is that this will be a silent slipstream patch and you won't notice it. And that's probably fine for most Mac users. Myself, I manually applied it.

      My question is whether this is a full patch, or just the partial one that they've been talking about for most *nix distros.
  • How about releasing a version of bash that has function passing disabled. That would be safer and we can find out what breaks.

    • by Anonymous Coward on Tuesday September 30, 2014 @08:05AM (#48026429)

      How about releasing a version of bash that has function passing disabled. That would be safer and we can find out what breaks.

      If only bash were open source, one could do this themselves instead of hoping others might do it for them.

      • Re: (Score:3, Interesting)

        by Anonymous Coward
        Hey, not me. I'm expecting the open source community to do it for me for no cost, while I sip mojitos.
      • Everyone should just go and learn C and how to do POSIX programming, attain enough mastery in it to be able to diagnose code for obscure security issues (that have eluded many programmers for years) and then design a secure fix.

        And they should do that in a day.

        Ya that sounds reasonable.

        FYI not only are most people not programmers, and have no interest in becoming programmers, but most lack the kind of brain it takes to be a good programmer. The whole "Oh it is OSS fix it yourself!" argument is a really stup

    • by ihtoit ( 3393327 )

      ...or you could do it yourself, BASH is open source.

      • ...or you could do it yourself, BASH is open source.

        Maybe the GP is not a programmer and is thus not able to do it himself. Open source is great but it's not a magic panacea.

        I suppose he could hire someone to do it for him but complaining on /. is just way easier ;-)

        • by jythie ( 914043 )
          Even if one is a programmer and is able to do it themselves, what most of us probably want is to be sure the websites that we interact with have updated their versions, and a lot of companies (or their admins) stick to what has been fixed and pushed out rather then hack their local versions.
        • by Dunkirk ( 238653 ) *

          There's a cutoff where it's useful to say that "you can do it yourself." I *am* a programmer, and have been for 35 years or so. One thing that annoyed me -- "back in the day" -- was Evolution's spotty support for Palm Pilot synchronization. I was fiddling with Gentoo's portage versions of the program and the various libraries so much that I finally downloaded the source for Evolution, and started to look at where the code that governed this problem lived. I recall asking someone a question about the source

          • Also... As an open source contributor and also long time software developer, there's no end of things to sink my spare time into, but my spare time is already alloted to other projects (some of them open source)... Sometimes I just want to flop on the couch and watch TV but {mythtv,xbmc,plex} is broken in a way that prevents me from doing it... So yes, I might be capable of fixing it myself, assuming I could find the bug in source I don't know, figure out the correct fix, that isn't going to break a dozen o

            • +1 million. it's not about being incompetent or not knowing how to do it. it's that we're all busy with life and don't have free hours to dive in to something like this. outside of work I recently picked up a new "hobby" and it poops all the time and wakes me up in the middle of the night
    • by hweimer ( 709734 )

      How about releasing a version of bash that has function passing disabled.

      People are using this feature and taking it away will break stuff. The latest update (not sure whether Apple already ships it) stores all function definitions with a prefix of BASH_FUNC_, and function definitions are disabled for all variables not starting with the prefix. This allows to retain the feature, but prevents the execution of malicious code at the same time.

      • by fnj ( 64210 )

        Unless of course the malefactors know this and stick BASH_FUNC_ in front of their exploit strings.

        • by hweimer ( 709734 )

          Unless of course the malefactors know this and stick BASH_FUNC_ in front of their exploit strings.

          This won't work because an attacker will only be able to manipulate the content of some environment variable, but not its name. And being able to manipulate arbitrary environment variables has always been equivalent to being able to execute arbitrary code. Think LD_PRELOAD or IFS, for example.

          • > an attacker will only be able to manipulate the content of some environment variable, but not its name.

            How can this be true?

            I just tried and successfully passed the variable "_BASH_FUNC_thingy" with the value "my_attack" through my apache web server to a CGI script using a url entered into a browser.

    • by DarkOx ( 621550 )

      You mean like practically everyone's .profile

      • by tom17 ( 659054 )

        The profile is sourced after the bash shell has already initialised. If my understanding is correct, the exploits are triggered because bash parses the environment during initialisation.

        Not sure if this is 100% correct, or if there is a difference in before vs after parsing, but if I am correct, this would not affect user profiles.

        Anyone care to expand?

        • by DarkOx ( 621550 )

          I think you are correct on this point, I was a little too quick. Still I suspect there would be issues; which people who make heavy use of the shell would 'feel'

          Consider ssh->bash->screen->bash. The first bash will be a login shell that sources the profile, the second will be a subshell, and would no longer have the functions defined. Sure there are plenty of ways to 'solve' that problem but will certainly require some alterations to common work flows.

  • only took them five days to fix from the disclosure [slashdot.org].

    • Re:that was fast (Score:5, Interesting)

      by zerosomething ( 1353609 ) on Tuesday September 30, 2014 @08:19AM (#48026499) Homepage
      Unfortunately Apple knows very few actually run OS X server and Apache through it so the possible compromised systems, in their eyes, was very small. i.e. not a big deal to get this out fast. What they don't realize is that a large number of institutions actually use their server product to manage all the Macs in the institution. If the servers were compromised then all the clients would then be at risk. Think instant Mac bot net! Fortunately this is open source software and you can patch it your self but most Mac servers are run by people that don't know how to do that. Sigh...
  • . . . until they do.

    With more Apple computers running in high-value commercial enterprises, one has to wonder why they are so lax about security.

    • Who is lax about security? Apple? Why do you think so?
      • The OS X BASH vulnerability patch is still not available as an automatic update whereas most Linux repositories had one available within 72 hours of the exploit. Studies of operating system security show that vulnerabilities in OSX persist the longest without being patched (assuming you discount big server OS's like Solaris) while Windows is patched the quickest. [1]

        It shows a huge difference in attitudes, in my opinion. Microsoft is enterprise focused, so they take security vulnerabilities very seriously

        • by unimacs ( 597299 )
          - Your study is 6 years old.
          - RedHat was the only linux distro in the survey that I saw
          - The nature of the vulnerabilities that Microsoft typically patched was quite a bit different from those in the other operating systems studied.

          I really doubt it's a difference in attitude. It could simply be that considering that considering their user base, Apple puts any patches through a much more rigorous testing than a linux distro typically does. They may (correctly) conclude that a rushed patch could do mo
          • 1. I have seen no evidence that Apple has increased the speed of its patching of security vulnerabilities since the study was conducted (this latest patch delay being just one example). Do you have any evidence that Apple has changed?

            2. Red Hat is the best-supported corporate Desktop Linux distro, so it makes since to use them as a base of comparison as opposed to something more consumer-oriented like Ubuntu.

            3. Multiple other studies have show that Apple lags behind in fixing security flaws.[1] [2]

            Do y

            • by unimacs ( 597299 )
              Your first source sites a report from Trend Micro that barely mentions OS X. It shows a chart with the number of vulnerabilities by vendor but it doesn't make any effort to characterize the severity of the vulnerabilities or the likelihood of being affected by them.

              Your second source is not a study or report at all but the opinion of a guy selling security software. I'm not saying his opinion isn't worth anything, only that he stands to gain by scaring OS X users into buying his software. And just as an
          • It could simply be that considering that considering their user base, Apple puts any patches through a much more rigorous testing than a linux distro typically does.

            Yeah, I was really pissed when RHEL released a patch for a kernel bug last week and it disabled the phone app on my iPhone. *#$^ing RedHat.

            • by unimacs ( 597299 )

              It could simply be that considering that considering their user base, Apple puts any patches through a much more rigorous testing than a linux distro typically does.

              Yeah, I was really pissed when RHEL released a patch for a kernel bug last week and it disabled the phone app on my iPhone. *#$^ing RedHat.

              Not exactly sure what you're trying to say but let me clarify my statement. Apple's users require more hand holding than RHEL users. I'm very serious when I say that Redhat's patch testing process may not be as rigorous as Apple's and I will add that because of the differences in user base, it doesn't have to be.

              I wasn't slamming RedHat or linux at all if that's what you thought.

              • I was making a reference to the recent Apple patch that disabled the phone on the iPhone.
                http://support.apple.com/kb/DL... [apple.com]?

                This release contains improvements and bug fixes, including:
                Fixes an issue in iOS 8.0.1 that impacted cellular network connectivity and Touch ID on iPhone 6 and iPhone 6 Plus

                On their new flagship phones for iOS8. If Apple devs were really that thorough, I doubt that would have passed the first round of tests. On the other hand, I've noticed patches on RHEL take longer to release than Ubuntu which take longer than other Linux distros. But I'm not sure OSX is delayed due to rigorous testing.

                • by unimacs ( 597299 )

                  I was making a reference to the recent Apple patch that disabled the phone on the iPhone. http://support.apple.com/kb/DL... [apple.com]?

                  This release contains improvements and bug fixes, including: Fixes an issue in iOS 8.0.1 that impacted cellular network connectivity and Touch ID on iPhone 6 and iPhone 6 Plus

                  On their new flagship phones for iOS8. If Apple devs were really that thorough, I doubt that would have passed the first round of tests. On the other hand, I've noticed patches on RHEL take longer to release than Ubuntu which take longer than other Linux distros. But I'm not sure OSX is delayed due to rigorous testing.

                  Because no linux distro ever releases a patch with bugs... right? ;-)

                  Anyway. I said the process might have to be more rigorous. I didn't say it was flawless. And the whole 8.0.1 debacle only adds to my point. A patch can sometimes do more damage that what it's trying to fix. Better to take a couple extra days to get it right than to get it out as quickly as possible but screw it up.

        • I'm sorry, but I can't get exited about two days to fix one vulnerability (Major Linux distributions) versus five days to fix most, if not all known vulnerabilities (Apple). The fix is there, and I'm glad they took the time to do some additional testing, especially because bash on Mac OS X is something that a large majority of users will not even run, and those that do will mostly only use it for their command line handling. Remote exploitation is just not possible with the default settings, so I don't car

  • I have just received news of 3 updates, including the 1st release of the GM image.
  • Did anyone try to understand how this "bug" works?

    Unless you have any service running, connected to the internet, that starts "bash scripts", nothing can happen to your computer.

    Or how exactly do you think angel'o'sphere has any way (not chance! WAY!) at all to start a bash script on your computer, exploit the weakness and on top of that gain "super user" privileges?

    That is not going to happen for any private mac user who has not running an Apache etc. and has not activated CGI scripts (and a router configu

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...