Are Macs vulnerable to the Bash shellshock bug?
Solution 1:
Yes you are technically vulnerable. So if you feel like panicking or billing a panicked client for a few hours of panic work, go for it!
But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.
Meaning your desktop Mac—which really does not run server applications of any kind—is not at any serious risk. I am willing to eat some proverbial “humble pie” here, but I do not think the majority of Mac users out there will be at risk at the end of the day.
So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.
Perhaps there is an edge risk of a Mac malware or virus being created to exploit this risk, but I doubt it.
EDIT: And just to elaborate how this issue is—in my humble opinion—not really an issue to most average users, yes I can run the following command from bash
on Mac OS X 10.9.5:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
And I see this:
vulnerable
hello
Guess what? That is only terrifying if you don’t rationally think this out. I had to already have been logged into my Mac to even open the Terminal. And to negate what I said about SSH above, to even get to the point I can run this test even if SSH is enabled I would still have to be logged in to begin with. And then—let’s say I get access via SSH—the command does not allow me to do ANYTHING past my normal user rights such as this:
env x='() { :;}; echo vulnerable' bash -c 'cat /etc/ssh_host_rsa_key'
Meaning if you truly are vulnerable to being exploited by this hack, your core security on the system would have to be so compromised that the fact that bash
has a flaw is really the very least of your issues.
This is a concern from an overall control & rights issue as it as the potential to allow unintended access since the behavior extends outside of expected norms. But in my humble opinion, it is not a risk on par with OpenSSL or the garden variety “let me leave my password on a note taped to my screen” risks.
At the end of the day I am still patching all of my Linux/Unix servers I run as standard procedure. And will happily patch the Macs I manage once a fix is out. But for practical day-to-day use I feel fine not worrying about this since I do not understand how a flaw that does not allow for elevated user privileges adds up to anything.
UPDATE: Official word from Apple posted here; emphasis mine:
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson told iMore. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
Translation: What I said above about this being a server issue & not a client issue? Exactly.
A FINAL UDPATE: For anyone struggling with compiling from source, as of September 29th, Apple has officially released patches for Mac OS X 10.9.5, 10.8.5 as well as 10.7.5:
- OS X bash Update 1.0 – OS X Mavericks
- OS X bash Update 1.0 – OS X Mountain Lion
- OS X bash Update 1.0 - OS X Lion
YET ANOTHER FINAL UPDATE: And now, Apple has just released a combination security update today that includes the bash
update as well!
Note: Security Update 2014-005 includes the security content of OS X bash Update 1.0
Solution 2:
Yes!
Type this in your shell
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
If it says vulnerable
then you are vulnerable.
If it says
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
then you are good.
Edit: link to the fix
Solution 3:
As an end user, check that:
-
your guest account is off:
System Preferences > Users & Groups > Guest User
-
your
ssh
access is off:System Preferences > Sharing > Remote Login
By default these are both off on Mavericks.
As an end user, it is safer to wait for an official Apple security update fixing this bash
vulnerability.