Security experts across the globe have been working around the clock to create patches for the Shellshock bug that uncovered 20 years of server vulnerability on systems using Bash. It’s beginning to appear that despite the longstanding claim that Apple products are less susceptible to viruses than PCs, internal bugs are just as easily exploited by hackers, and it’s happening more and more every day.
It’s apparent that hackers are most interested in exploiting the Shellshock bug to gain access to web servers, but there are plenty of home computers and embedded devices that are also vulnerable to attacks. Apple stated publicly that they’d be providing a patch for “experienced UNIX users,” despite the fact most Mac users would likely remain unaffected by the exposure.
Shellshock Bug Patches Available for OS X
The updates are now available for OS X Mavericks, Lion, and Mountain Lion, but nothing has been released for the OS X Yosemite beta. Users will not be prompted to install these updates via the Mac App Store, but can access them directly through Apple by using those links. Speculation is that the next beta version of Yosemite to be released, which should be next week, will have a patch for the bug included in it.
The initial Shellshock bug discovery was logged in the Common Vulnerabilities and Exposures database as CVE-2014-6271. However, shortly thereafter, new attack methods were discovered to bypass the patch created to repair that exposure, and the new vulnerability has been logged as CVE-2014-7169. The notes released with Apple’s OS X Bash Update indicate that it protects against both CVE-2014-6271 and CVE-2014-7169, but there have been several additional CVEs added to the Shellshock list in the past few days.
Users whose Macs function as web servers or localhosts are especially encouraged to install the update to apply the patch. Utilizing any patch that’s available, whether it’s fully complete or not, is better than having no protection at all.
If you have questions about the security of your computer, or anything else about the Shellshock bug and patches, ask us on Facebook or give the experienced techs at TCI Technologies a call at (516) 484-5151.