Is there a patch out already to protect against the just discovered Shellshock bug (which exploits bash)?
Macbook Pro
You'll see the update in the app store/Newswires accordingly.
If you don't want to get affected by the bug, don't use the internet (kidding)
Basically, if you're on a Mac, don't install new software from shady sources.
Here is one option .. I just applied to macbook
http://nkush.blogspot.com/2014/09/patching-bash-shellshock-on-apple-max.html
I have successfully patched exploit method 1 with the following instructions:
However exploit method 2 is still not patched.
Unless you're running a Mac server, you don't need to do anything.
This has NOTHING to do with installing apps. The source can be run remotely. This is a completely open treasure chest that will be exploited if not already done so now that its out in the public awareness.
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Have you tested method two?
Method 2
env X='() { (a)=>\' bash -c "echo date"; cat echo
This will create a file called echo so be sure to 'rm echo' afterward.
You will get a short list of errors but date will present at the bottom. If a date is present you are still vulnerable to method 2.
In order for the exploit to succeed, the hacker must first login into a Unix or Linux based server. How a client end Mac responds to the commands is irrelevant. Unless someone is sitting directly at your Mac to invoke the hack, the chances something can happen to your Mac is virtually nil.
No they do NOT need to be at your computer. Read posted article it explains everything inside. It can be remotely done through a relatively simply process by someone NOT needing to be logged in. The ENV are set by the attacker without credentials. Its already been proven that PHP, Cups, Apache headers and the like CAN access this exploit. Numerous systems access or are designed around bash shell. The fact no credentials are required or essential root access is the big problem and it goes as far as to exposed routers and IoT devices that likely will never receive an update.
Case in point, my airport extreme just got hacked. So stop saying this is not a problem.
Per Linc Davis, a user here who knows more about Unix than pretty much anyone else here:
The issue only affects users who run a public server.
From your post:
my airport extreme just got hacked
And what does your router have to do with the issue? Router poisoning has been known to exist for a long time, which has absolutely nothing to do with Bash, or your Mac. It's a problem with routers being shipped with remote management enabled in its settings. Reset the router, then go into the settings and disable remote access.
The truth is: yes you are technically vulnerable. But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.
So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.
Aside from the remote exploit possibility, there is the possibility of a malicious installer package making bash calls (as root!) during the install process.
Turning off remote services will help. Being very careful about running installers will help, too. But Apple needs to jump on this one and issue a patch post-haste.
Yes, it especially needs to be expedited for Mac servers hosting outside connections. We use an iMac with Lion Server here for our small business, but all broadcasting is turned off. AFP access for internal connected Macs only.
Root is disabled by default in OS X. Any attempt by such a package to install items requiring access to the system should prompt the admin password box to appear. Any time that box appears out of nowhere, you should always cancel.
This is a much larger issue, as the very excellent Troy Hunt article details. There are many vectors. Your router, is the first one. In my case pfsense is not vulnerable, but many other routers will be. Any external service running on *nix can be affected. If you run a webserver, you will have to take steps.
There may be other OS X vectors we don't yet know about, so, better to patch as soon as we can rather than waiting for a proven exploit.
macadmin78 wrote:
there is the possibility of a malicious installer package making bash calls (as root!) during the install process.
If you have a malicious installer package, there is no need to worry about obscure server exploits.
How to protect OSX against Shellshock bug?
