Apple have finally broken their silence regarding the Bash vulnerability known as Shellshock, reassuring the vast majority of their customers who’re running OS X or similar will be safe from the exploit. The issue has been rolling across the internet, reaching a peak over Thursday and Friday.
The Linux, Unix and Mac OS X community are all worried, but good news is that the threat is starting to be beaten back. For instance, Red Hat have commented they’ve issued a series of patches which have addressed their distro of Linux (commonly used for web servers) for the most part.
Meanwhile Apple have commented on the issue, “The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities,” an Apple spokesperson said. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems.”
“With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
It’s been confirmed by security experts Bash isn’t used by Apple’s OS X by internet facing processes. Naturally, this reduces the ability of attackers to exploit the operating systems bug. The machine isn’t immune to the ShellShock bug, with OS X being vulnerable if the user is logged into the machine (even if they are not granted admin rights). For the sake of clarity, your Iphone, Ipad and other IOS devices are all immune. Most Android devices are pretty safe, but if you’re running Cyanogenmod you are at risk.
Test your Mac or Linux Machine for Shellshock Vulnerability
Testing if your machine is vulnerability to Shellshock is pretty easy and straightforward, the process being similar on OS X, UNIX or Linux. You’ll need to open up a command prompt (if you’re struggling to find it, in Apple’s OS X it’s called Terminal). Once it’s open you’ll need to enter a test string of text.
env x='() { :;}; echo I R problem’ bash -c “echo sorry you’re vulnerable!”
Paste that into the command-line window and hit return or enter. If you receive this as a reply:
I R Problem
Sorry you’re vulnerable!
ShellShock allows the execution of what are known as undefined commands – this being I R Problem. So if you’re seeing the text as you entered it, you’re likely vulnerable and need to fix it.
Ultimately, the biggest threats are to web servers, particularly those which are running CGI (Common Gateway Interface) from client machines. While big distros of Linux are being patched, there will likely be quite a few who’re running VM’s (Virtual Machines) that haven’t updated to the latest version, or who’ve created custom scripts / edits to their OS and thus making them particularly vulnerable.
“If … you have a CGI written in shell script, you are in deep trouble. Drop everything now and patch your servers,” says founder and the chief technology officer at security firm Sucuri.
“This is potentially the easiest website defacement vector we’ve ever seen, not to mention a very easy way of distributing malware,” Australian security researcher Troy Hunt, his blog post detailing Shellshock flaw is getting a lot of attention, and for good reason.
So there you have it – if you’re running a Linux based web server, and you’re responsible for maintaining it, be active and ensure you’re running the latest patch. If necessary speak to your hosting company for advice, and read the blogs out there to understand the problem. If you’re running your own website and you’re not responsible for the ‘server’ side of things, and instead you just have public HTML access, you still might be wise discussing this with your host just to ensure they’re on the ball. This is particularly true if the host is smaller.
If you’re a Mac OS X or a Linux home user, go through the basic checks to ensure you’re as safe as possible. After that, remember the so called glory days of being ‘immune’ from threats because you were running a Mac or Linux OS are long gone. Check our interview with the guys over at BitDefender for more information.