Apple releases three patches to address GNU Bash vulnerabilities
30 Sep 2014
Apple yesterday released three patches to address vulnerabilities in GNU Bash, commonly known as Shellshock, that a hacker could exploit to execute commands on the targeted host, CSO Online reported.
When Shellshock was disclosed, concerns grew around the large number of switches, routers, and web servers that used GNU Bash as part of their Linux or UNIX environment.
However, OS X being UNIX-based, researchers were quick to point out that Shellshock impacted far more than essential corporate assets.
In media statements, Apple initially said that a majority of OS X users had immunity against risks associated with Shellshock, due to the default configurations the OS used.
However, users that enabled advanced UNIX services remained exposed for whom the company promised a patch, which was delivered a few days later.
Apples' releases of the patch covers OS X Lion, Mountain Lion, and Mavericks and at just over 3MB in size, they were easily applied. Apple also encouraged anyone who had enabled advanced UNIX functions to install the proper patch.
OS X users were at risk if they had enabled login for all users, including guests, though security-conscious users had most likely avoided that option, due to the increased risk it was associated with.
Meanwhile, according to Tulsa World, the vulnerability to Shellshock was a particularly nasty as it allowed anyone to remotely upload malware that could turn user's computer into a botnet zombie, steal personal information or pictures, activate their webcam or, well, just about anything else a hacker could dream up.
And it was not just theory, as only hours after a researcher at cloud computing company Akamai Technologies reported the existence of the vulnerability, attacks via Shellshock started popping up on computers running Unix, Linux, Ubunto as also other Unix-based systems. Suddenly, it was not only the obviously sketchy websites that were automatically uploading malware to people's computer.
According to the report one of the baffling aspects about this bug was that it had been around for over 20 years, and people were only now noticing it.
However, according to Gavin Manes, founder and CEO of digital forensic company Avansic, these kinds of vulnerabilities were common. He added it was always known that they existed, since anyone could read the source code of Unix.
However the good news was that only 10 per cent of the world's computers were vulnerable, including those running Linux and OS X but the bad news was that many servers that powered websites ran Unix.