Jump to content

Apple software update protects Macs from 'Bash' bug


Recommended Posts

Posted

Apple software update protects Macs from 'Bash' bug

SAN FRANCISCO (AFP) - Apple on Monday issued a software update to protect Macintosh computers from being bitten by a recently discovered "Bash" bug seen as a threat to Internet-linked devices.


Apple said the update released for OS X Lion, Mountain Lion, and Mavericks versions of its computer operating software patch a Unix shell flaw billed as a dangerous weakness that could be exploited by hackers.

Even though the flaw was found in Unix-based Mac OS and Linux operating systems, most users of Apple computers were believed to have been protected due to default settings in the software running Macintosh machines, according to the California-based company.

"The vast majority of (Macintosh) OS X users are not at risk to recently reported ’Bash’ vulnerabilities," an Apple spokesman said in an email to AFP last week.

"With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced Unix services."

The US government and technology experts last week warned of a vulnerability in some computer operating systems that could allow widespread and serious attacks by hackers.

Security specialists say that if hackers develop malware to exploit the weakness, millions of Internet-connected devices could be at risk -- from web servers to personal computers to routers, as well as any "smart" or wearable electronic devices using the software.

Some said the security hole would be more damaging than the "Heartbleed" bug which affected millions of computers worldwide earlier this year.

Patches were being made available for the flaw, which is also called "Shellshock."

afplogo.jpg
-- (c) Copyright AFP 2014-09-30

Posted

So when do we expect to see the update here ?

Last Monday via software update.

When you mean last Monday , do you mean yesterday ?

If it was a software update why has it not shown up when I have searched for updates today ?

Very Strange.

Posted

The point I was making was , if it is such an important patch / update , why wasn't it presented to us through our system ?

Thanks for the link Rubber.

Posted

Hello All, I don't know about you all, but I've always had auto info/updates

turned OFF. I back up what is needed and if I get a bug, I can always erase

the HD and reinstall the OS.

It's easy to know when Mac's have a problem, all the windoz people starting

their fingers on the TV Mac forum. The pic is why if I had notify ON, I'd still

in the same place, no updates for me, I'll keep a eye open for fingers!

rice555

post-37242-0-36574200-1412268674_thumb.j

Posted

The point I was making was , if it is such an important patch / update , why wasn't it presented to us through our system ?

Thanks for the link Rubber.

There is no access to the Bash shell from the outside, by default. So Mac users aren't affected at all, unless you did something to your system to enable remote login. Or, more likely, you turned on web sharing to serve websites.

I kind of stopped reading at that point. But if somebody can explain why (A) this can happen at all and (B) why it's not considered primarily a bug in the Apache web server, I'd be grateful.

On a normal system, you can't access the command shell from the outside, except via SSH. SSH is secure. It has not been breached. So, nobody should be able to access my bash shell at all.

On an Apache webserver, apparently Apache was routing some (all?) things through the command shell. And Apache could be attacked to route arbitrary things through the command shell (presumably with non-root rights, but that's where the bug came in, it would allow you, presumably, to escalate rights).

I'd consider this a major security flaw in Apache if true. Apache should have no business routing anything through the command shell of all things. That's like routing commands through a full stack programming environment, with nearly unlimited attack points.

  • 1 month later...
Posted (edited)

Sorry to resurrect an old(ish) thread (and apologies if it has been covered elsewhere - I looked but didn't find it) but for anybody else who is still using good old Snow Leopard and wants to upgrade bash since Apple don't seem to be going to do it there is a nice step-by-step guide at the link below to get your system to

GNU bash, version 4.3.30(5)-release (i386-apple-darwin8.11.0)

http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

Edit: This fix doesn't need homebrew or MacPorts or anything like that, it patches a stock SL bash.

Edited by fester the benevolent

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...