Red Hat security researchers have discovered a new security exploit in the common “Bash” command shell found in Linux and OS X. The flaw can be used to deploy malicious code with very little effort on the bad guy’s part.
Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.
Security researcher Robert Graham wrote on his blog that the exploit “is as big as Heartbleed,” referring to the OpenSSL flaw discovered earlier this year in the software that secures connections between clients and servers.
“Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”
Heartbleed reportedly affected 66% of the Internet, however Apple announced in April that the exploit didn’t affect its software or “key services.” However, the company did later release a Heartbleed-related firmware update for their AirPort Extreme and Time Capsule devices.
9to5Mac notes that in a Stack Exchange thread users argue how this could affect Mac users, as one user takes the position that while Macs are technically vulnerable, most are unlikely to be at risk in practice.
Yes you are technically vulnerable. But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.
So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.
Another user describes that user’s view as “naive.”
… or have an application running, listening on an open port that allows RPC calls to be made that end up running shell commands. This could be any number of things as there are plenty of standard applications that do their RPC. I think this answer is very naïve. It’s very easy to be “running a web server” inadvertently in the course of running an application that does some client-server type thing.
Apple did not include a fix for the Bash exploit in its latest round of security updates that came with the release of OS X Mavericks 10.9.5.