The Shellshock Security Vulnerability: Quick And Simple Info
by Graham Needham (BH) on 25th September 2014
UNIX based operating systems have a component called Bourne Again Shell (Bash for short). On the 25th September 2014 a major security vulnerability was reported to have been discovered in this component. The following are known to be vulnerable:
- OS X
- UNIX
- LINUX
- Any operating system that has had the Apache web server manually installed with Common Gateway Interface (CGI) scripts active (including Windows)
- Any operating system that has had the the CUPS server manually installed (including Windows)
- Any operating system that has had a Bash implementation e.g. GNU Bash manually installed (including Windows)
The following
may be vulnerable:
- Jailbroken iOS (iPhone/iPad/iPod touch)
- Android smart phones and tablets with non-standard software installed (including those devices from companies bundling their own additional software)
If you have a jailbroken iPhone/iPad/iPod touch or an Android smart phone/tablet with non-standard/additional software installed on it see this
article.
The following are not vulnerable:
- Non-jailbroken iOS (iPhone/iPad/iPod touch)
- Standard installation of Android on smart phones and tablets
- Windows
- Windows Phone
What has Apple said about OS X?
Apple issued official software updates fixing this issue on 29th September. Download and install the update manually from:
Q. How can I tell which version of Mac OS X I am running?
A. Go to Apple menu (top left) > About This Mac > check the version of Mac OS X.
What you should do immediately
What are you running?
OS X 10.7 and later
Apple issued official software updates fixing this issue on 29th September. Download and install the update manually from:
Mac OS X 10.6 and earlier
Mac OS X 10.6 and earlier are no longer supported with security updates so there will be no fix from Apple. If you are confident with the Terminal command line you can manually install an updated Bash by
following these instructions or
these. If not, you should do the following to help mitigate against any potential attacks:
Turn off all non essential sharing services
- Go to Apple Menu > System Preferences > Sharing
- UNTICK all services
- Click the "Show All" button in the top right
Do not connect your computer to any unknown/untrusted network especially Wi-Fi networks
- Click on the (Apple Menu > System Preferences >) Network system preference
- Select Wi-Fi in the list on the left
- Click the "Advanced…" button in the bottom right
- Click Wi-Fi in the tabs along the top
- Under the "Preferred Networks" list delete ANY networks in the list that are untrusted
- Click "Apply"
- Quit System Preferences
- Restart your computer
The DHCP client in OS X may have this security vulnerability so it is wise to not connect your computer to any unknown/untrusted network via Wi-Fi, ethernet or any other method.
OS X Server (10.7 and later)
Apple issued official software updates fixing this issue on 29th September. Download and install the update manually from:
Mac OS X 10.6 Server and earlier
Mac OS X 10.6 Server and earlier are no longer supported with security updates so there will be no fix from Apple. If you are confident with the Terminal command line you can manually install an updated Bash by
following these instructions or
these.
UNIX
Check your UNIX distribution's web site for information and updates e.g.
LINUX
Some patches are already available for:
For other LINUX distribution check their web site for information and updates e.g.
Operating system with Apache web server with CGI scripts active
Check the Apache web site for
information and updates.
Operating system with CUPS printing server
Check the CUPS web site for
information and updates.
Operating system with Bash installed
Check your Bash distribution for a software update. In the meantime it's worth checking how you can disable your current Bash implementation until it is patched/fixed.
A web site
Most companies that you pay to host your web site(s) on the internet use servers running UNIX or LINUX along with services such as Apache and as both of these operating systems and Apache (with CGI scripts active) are vulnerable if you run any web site that holds customer/sensitive data and/or handles e-commerce/processes card payments you need to be putting pressure on your hosting company to provide information whether the server your site is running on has been patched/updated.
Is there anything else I should do?
Yes, due to the ubiquity of Bash, the exploit can affect a wide variety of different devices connected to the internet (The internet of things) including routers, IP video cameras and smart home appliances. So over the next few days/weeks you should check for updates to anything you have that connects to the internet.
Further Reading
MacStrategy Security Articles
#1 -
Physical
#2 -
Software
#3 -
Malware, Social Engineering and Scams
#4 -
Securing Data
#5 -
User Names and Passwords including Apple IDs
#6 -
Networking/Internet/Online Shopping
#7 -
Securing Older Mac Operating Systems
#8 -
Apple's OS X Gatekeeper
#9 -
For People Wearing Tinfoil Hats
Blog Post Author = Graham Needham (BH)
Blog Post Created On = 25th September 2014
Blog Post Last Revised = 25th January 2018 12:45
Blog Post URL = https://www.macstrategy.com/blog_post.php?25
This blog post is representative of the blog author's individual opinions and as such any opinions that may be expressed here may not necessarily reflect the views of everyone at MacStrategy or the holding company Burning Helix.See all blog postings for all countries