As the article states, the majority of OSX users are simply not affected by this, and those that are can and have the knowledge download and recompile patches from Red hat and the Free Software Foundation to fix it.
Besides people's Macs at home, should we also be concerned that companies we do business with may be storing our personal, medical, financial data on vulnerable servers?
In light of the lower risk to normal Mac users, I'm guessing Apple is concentrating on fixing their own servers first.
Originally Posted by Cpsro
…It takes more effort to construct a press release than to patch…
If it's that easy to patch, why all the panic?
Originally Posted by Cpsro
And it's not like pushing an album out to everyone that relatively few people want.
Well, I agree with you that Apple should have just let people download the album if they wanted to instead of pushing it out willy-nilly. To my surprise I actually liked the album when I played it.
<div class="quote-container" data-huddler-embed="/t/182525/apple-says-most-customers-not-vulnerable-to-shellshock-patch-coming-for-advanced-users#post_2607626" data-huddler-embed-placeholder="false">Quote:<div class="quote-block">Originally Posted by <strong>SolipsismX</strong> <a href="/t/182525/apple-says-most-customers-not-vulnerable-to-shellshock-patch-coming-for-advanced-users#post_2607626"><img alt="View Post" src="/img/forum/go_quote.gif" /></a><br /><br />Windows users are not vulnerable for once.</div></div><p><br />When DED applies his usual train of logic, it will seem that they are and that it's Google's fault.</p>
You missed out Samsung paying for the exploit to be released.
OS X and iOS do not have an underlying shell. People need to understand that a shell such as bash is just an application, it serves the same purpose as the "Finder"; an application that gives you access to the "system."
Right! The thing is that bash is the default shell for a lot of Unix-like operating systems and programs can (and do) execute shell scripts. My musing about DHCP (and I'm not alone in this) is that *some* DHCP clients can execute shell (bash) scripts upon connection for configuration purposes. If the OS X DHCP client does this then connection to a malicious (or compromised) DHCP server can be a problem.
One thing that worries people about this problem is that on Unix-like operating systems, bash can be run by lots of ways that aren't immediately obvious. It would make people like myself (who are responsible for dealing with stuff like this) much happier if Apple would tell us not just that it's not a problem, but why they think that's the case.
Besides people's Macs at home, should we also be concerned that companies we do business with may be storing our personal, medical, financial data on vulnerable servers?
There is a reason the default shell on my servers (and most macs) is not bash or sh, but some form of csh/tcsh
A web server is not necessarily exploitable. It would have to have mod_cgi or something similar enabled that would pass the shell variables to a shell. As one security expert mentioned, a lot of modern web "stacks" are not vulnerable as they don't use a shell to execute anything.
I read (but did not take the time to understand) that some ssh installations would run a shell to execute certain functions (even when not presenting a shell to the remote user) and that could also be a vulnerability. Anyone know more about this?
Does the default shell make a difference if Bash is still installed?
Yes. bash (which is not actually installed on most of my servers, which are BSD based) would have to be invoked somehow, and the default shell will run for the user under which the, for example, mod_cgi is spawning a process, unless bash is specifically otherwise being invoked. In other words, unless bash is specifically in the configs or otherwise specified, the default shell is used.
Hard to say but I think you're good if you don't have the web server, telnet, or any other WAN accessible features enabled.
On Airport extreme I use the airport utility app to configure the device however on all other Wi-Fi devices I have set up, they all use a browser and the interface is a web page. I don't think it is even possible to turn off the web server feature.
I blame that Maps and 8.0.1 QA guy. They should fire him again for this.
Yeah. And keep firing him until the phones don't bend any more! And the US gets a single payer health care system. And until my wife comes back with the kids.
.... and, as that country song goes, my dog wakes up from dead, my liver is back to normal, and my truck starts up again! " src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />
On a more serious note: why not, just to be on the safe side, issue a patch to all OSX users? How does Apple figure out who's 'advanced'? Do they just let people figure it out for themselves?
Besides people's Macs at home, should we also be concerned that companies we do business with may be storing our personal, medical, financial data on vulnerable servers?
Hopefully, they're all cheap enough to have installed non-Apple servers and software... :-/
Should we be concerned that companies we do business with may be storing our personal, medical, financial data on vulnerable servers?
Yes but that's always a concern because not everyone updates their servers quickly enough when vulnerabilities are found. There is a PCI DSS standard that some servers are expected to comply with that helps ensure they are secure but they check known vulnerabilities and the compliance isn't required to be daily - it wouldn't be feasible.
Imagine that this kind of bug is discovered by a hacker who has been constantly looking for exploits, they won't tell anyone. They will look for a big target and run the one-line of code vulnerability that can dump an entire central database into a publicly accessible area of a server for download. Within a matter of minutes, someone can compromise millions of users' details, passwords, medical data and so on.
When you think about individual software packages or even single video games, they are multiple GBs in size. Data records are tiny: a few KB for email, name, address etc. Think how long it takes to download 1GB on normal broadband today, it's about 5 minutes. If an individual's data record is 4KB, it would take 5 minutes to steal the details of 250,000 people - likely far more with compressed data and faster internet than 20Mbps. This kind of data has already been leaked - in the following case not through technology issues but through negligence:
"A 68-year-old man was refused a place in a care home when social services found from his medical records that he was gay.
An uncle found out that his niece had a secret abortion when the company he worked for was asked to do a financial audit of the local health authority. He told her parents, who are very religious.
A woman was sacked after her GP sent her records to her employer. The notes revealed that she had a history of mental health problems."
There isn't an easy solution though. Data needs to be accessible online for efficiency. They need to use standardized systems for interoperability with client devices. The operating systems are so complex that minor flaws will crop up. There was just one guy assigned to maintain bash - one guy maintaining software used by hundreds of millions of devices. But then, how many people maintain OS X?
For highly sensitive info, they can help protect it by keeping the servers away from the public. So access only via VPN or some other network setup separated from the internet. The problem is you don't always get people who understand technology enough to keep the information their profession deals with secure. Lawyers can be good at their job but not have a clue how to protect sensitive legal documents.
You missed out Samsung paying for the exploit to be released.
Samsung uses unix systems too - Tizen and Android are both unix systems although neither likely vulnerable as they are also client and not server operating systems.
Does the default shell make a difference if Bash is still installed?
The script being exploited will usually specify which shell it wants to use so it can still execute in bash despite it not being the default. If one CGI script specified bash on two servers, they are both vulnerable. It would prevent attacks on scripts that run in whatever the default shell is.
How does Apple figure out who's 'advanced'? Do they just let people figure it out for themselves?
If you have to ask... It's not necessary to say 'advanced' as it can make people feel inadequate, it just means that people who are vulnerable already know about these kind of vulnerabilities. To turn on any public-facing server that isn't a shared server (usually managed by someone else), you need to know something about how servers work and likely configured a firewall, have dealt with command-line processes, remote shells etc.
Does the default shell make a difference if Bash is still installed?
All Redhat versions install bash and sh by default and when you set up a new user the admin specifies which shell to use, usually bash. It is possible to use sh instead and then take the execute permissions away from /bin/bash, but if you have a lot of users and cgi applications that is not practical.
The other thing that is important about this issue is that if admins delay patching their servers they could potentially get hacked and not even know it. Even if they eventually patch their server it will still be hacked. You really need to know your stuff to find the malware that is usually named the same as default files, just in a different location, so when running top, you might see two copies of of the same service with two different pids. I would imagine the hackers are scrambling to exploit this as quickly as possible.
The word 'vulnerable' shouldn't appear but 'hello' should. If both appear then the shell is vulnerable to the exploit.
Thank you very much for your informative post. Would you mind explaining the logic behind why that demonstrates the exploit. I think I get that the first part (from "x" through to "VULNERABLE'") should just set a variable x to a string and then the second part should simply use the bash shell to display the word hello. But for some reason, some aspect of the characters in the middle (the happy and winky faces ) cause the string setting to short circuit and instead see this as 3 commands? If it's that straightforward, why did no one stumble on this bug years ago?
The word 'vulnerable' shouldn't appear but 'hello' should. If both appear then the shell is vulnerable to the exploit.
Thank you very much for your informative post. Would you mind explaining the logic behind why that demonstrates the exploit. I think I get that the first part (from "x" through to "VULNERABLE'") should just set a variable x to a string and then the second part should simply use the bash shell to display the word hello. But for some reason, some aspect of the characters in the middle (the happy and winky faces ) cause the string setting to short circuit and instead see this as 3 commands? If it's that straightforward, why did no one stumble on this bug years ago?
The code is setting the shell variable x to a function, it's just an empty one here, which is what the brackets are. The flaw is that it executes code that follows it rather than ignoring it or raising an error.
I expect the reason nobody noticed it years ago is that very few people will assign functions to shell variables and if they did, they wouldn't write them wrongly on purpose. There was one guy assigned to look after the bash project and he might have been doing this in his free time. Once code is written and stable, you expect it to stay that way and you only really scrutinize changes.
This happened with Apple's SSL bug, which I think was only active for a few months but it was such a small piece of code that nobody bothered to check it for problems.
Hmm. I don’t get this from Apple. Aren’t Mountain Lion, Mavericks, and Yosemite vulnerable? That sounds like most customers ARE vulnerable...
You can quote me "no they aren"t" even if the bug is there. You can't be vulnerable to your second gas tank not working if your not driving 800 miles ;-).
This is a limited scope bug, even for advanced users. Il you are not one of those advanced thinkerers, you have nothing to worry about. Doesn't mean Apple shouldn't patch this as soon as possible of course. Though Bash is an easy compile, so most of those advance users can do it themselves quickly.
Comments
Why hasn't Apple pushed a patch already?
As the article states, the majority of OSX users are simply not affected by this, and those that are can and have the knowledge download and recompile patches from Red hat and the Free Software Foundation to fix it.Windows users are not vulnerable for once.
When DED applies his usual train of logic, it will seem that they are and that it's Google's fault.
Besides people's Macs at home, should we also be concerned that companies we do business with may be storing our personal, medical, financial data on vulnerable servers?
Why hasn't Apple pushed a patch already?
In light of the lower risk to normal Mac users, I'm guessing Apple is concentrating on fixing their own servers first.
…It takes more effort to construct a press release than to patch…
If it's that easy to patch, why all the panic?
And it's not like pushing an album out to everyone that relatively few people want.
Well, I agree with you that Apple should have just let people download the album if they wanted to instead of pushing it out willy-nilly. To my surprise I actually liked the album when I played it.
OS X and iOS do not have an underlying shell. People need to understand that a shell such as bash is just an application, it serves the same purpose as the "Finder"; an application that gives you access to the "system."
Concerned, yes; worried, no.
Concerned, yes; worried, no.
I wonder if typical home Wi-Fi routers have bash on them. They certainly have embedded web servers, DHCP and probably running Linux.
There is a reason the default shell on my servers (and most macs) is not bash or sh, but some form of csh/tcsh
A web server is not necessarily exploitable. It would have to have mod_cgi or something similar enabled that would pass the shell variables to a shell. As one security expert mentioned, a lot of modern web "stacks" are not vulnerable as they don't use a shell to execute anything.
I read (but did not take the time to understand) that some ssh installations would run a shell to execute certain functions (even when not presenting a shell to the remote user) and that could also be a vulnerability. Anyone know more about this?
Hard to say but I think you're good if you don't have the web server, telnet, or any other WAN accessible features enabled.
Does the default shell make a difference if Bash is still installed?
Does the default shell make a difference if Bash is still installed?
Yes. bash (which is not actually installed on most of my servers, which are BSD based) would have to be invoked somehow, and the default shell will run for the user under which the, for example, mod_cgi is spawning a process, unless bash is specifically otherwise being invoked. In other words, unless bash is specifically in the configs or otherwise specified, the default shell is used.
Hard to say but I think you're good if you don't have the web server, telnet, or any other WAN accessible features enabled.
On Airport extreme I use the airport utility app to configure the device however on all other Wi-Fi devices I have set up, they all use a browser and the interface is a web page. I don't think it is even possible to turn off the web server feature.
I blame that Maps and 8.0.1 QA guy. They should fire him again for this.
Yeah. And keep firing him until the phones don't bend any more! And the US gets a single payer health care system. And until my wife comes back with the kids.
.... and, as that country song goes, my dog wakes up from dead, my liver is back to normal, and my truck starts up again!
" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />
On a more serious note: why not, just to be on the safe side, issue a patch to all OSX users? How does Apple figure out who's 'advanced'? Do they just let people figure it out for themselves?
Besides people's Macs at home, should we also be concerned that companies we do business with may be storing our personal, medical, financial data on vulnerable servers?
Hopefully, they're all cheap enough to have installed non-Apple servers and software... :-/Yes but that's always a concern because not everyone updates their servers quickly enough when vulnerabilities are found. There is a PCI DSS standard that some servers are expected to comply with that helps ensure they are secure but they check known vulnerabilities and the compliance isn't required to be daily - it wouldn't be feasible.
Imagine that this kind of bug is discovered by a hacker who has been constantly looking for exploits, they won't tell anyone. They will look for a big target and run the one-line of code vulnerability that can dump an entire central database into a publicly accessible area of a server for download. Within a matter of minutes, someone can compromise millions of users' details, passwords, medical data and so on.
When you think about individual software packages or even single video games, they are multiple GBs in size. Data records are tiny: a few KB for email, name, address etc. Think how long it takes to download 1GB on normal broadband today, it's about 5 minutes. If an individual's data record is 4KB, it would take 5 minutes to steal the details of 250,000 people - likely far more with compressed data and faster internet than 20Mbps. This kind of data has already been leaked - in the following case not through technology issues but through negligence:
http://www.wired.co.uk/news/archive/2014-03/03/care-data-leaks
Here are the consequences of this kind of data getting into the wrong hands:
http://www.theguardian.com/society/2000/jun/25/futureofthenhs.health
"A 68-year-old man was refused a place in a care home when social services found from his medical records that he was gay.
An uncle found out that his niece had a secret abortion when the company he worked for was asked to do a financial audit of the local health authority. He told her parents, who are very religious.
A woman was sacked after her GP sent her records to her employer. The notes revealed that she had a history of mental health problems."
There isn't an easy solution though. Data needs to be accessible online for efficiency. They need to use standardized systems for interoperability with client devices. The operating systems are so complex that minor flaws will crop up. There was just one guy assigned to maintain bash - one guy maintaining software used by hundreds of millions of devices. But then, how many people maintain OS X?
For highly sensitive info, they can help protect it by keeping the servers away from the public. So access only via VPN or some other network setup separated from the internet. The problem is you don't always get people who understand technology enough to keep the information their profession deals with secure. Lawyers can be good at their job but not have a clue how to protect sensitive legal documents.
Samsung uses unix systems too - Tizen and Android are both unix systems although neither likely vulnerable as they are also client and not server operating systems.
The script being exploited will usually specify which shell it wants to use so it can still execute in bash despite it not being the default. If one CGI script specified bash on two servers, they are both vulnerable. It would prevent attacks on scripts that run in whatever the default shell is.
If you have to ask...
Unix servers are the cheapest as the OS is usually free so they'd have be somewhere between cheap and hipster - that's Microsoft's turf.
Does the default shell make a difference if Bash is still installed?
All Redhat versions install bash and sh by default and when you set up a new user the admin specifies which shell to use, usually bash. It is possible to use sh instead and then take the execute permissions away from /bin/bash, but if you have a lot of users and cgi applications that is not practical.
The other thing that is important about this issue is that if admins delay patching their servers they could potentially get hacked and not even know it. Even if they eventually patch their server it will still be hacked. You really need to know your stuff to find the malware that is usually named the same as default files, just in a different location, so when running top, you might see two copies of of the same service with two different pids. I would imagine the hackers are scrambling to exploit this as quickly as possible.
You can test if a bash shell is vulnerable by pasting the following into a terminal either via ssh or locally and hit return:
The word 'vulnerable' shouldn't appear but 'hello' should. If both appear then the shell is vulnerable to the exploit.
Thank you very much for your informative post. Would you mind explaining the logic behind why that demonstrates the exploit. I think I get that the first part (from "x" through to "VULNERABLE'") should just set a variable x to a string and then the second part should simply use the bash shell to display the word hello. But for some reason, some aspect of the characters in the middle (the happy and winky faces
) cause the string setting to short circuit and instead see this as 3 commands? If it's that straightforward, why did no one stumble on this bug years ago?
The code is setting the shell variable x to a function, it's just an empty one here, which is what the brackets are. The flaw is that it executes code that follows it rather than ignoring it or raising an error.
I expect the reason nobody noticed it years ago is that very few people will assign functions to shell variables and if they did, they wouldn't write them wrongly on purpose. There was one guy assigned to look after the bash project and he might have been doing this in his free time. Once code is written and stable, you expect it to stay that way and you only really scrutinize changes.
This happened with Apple's SSL bug, which I think was only active for a few months but it was such a small piece of code that nobody bothered to check it for problems.
Hmm. I don’t get this from Apple. Aren’t Mountain Lion, Mavericks, and Yosemite vulnerable? That sounds like most customers ARE vulnerable...
Hmm. I don’t get this from Apple. Aren’t Mountain Lion, Mavericks, and Yosemite vulnerable? That sounds like most customers ARE vulnerable...
You can quote me "no they aren"t" even if the bug is there. You can't be vulnerable to your second gas tank not working if your not driving 800 miles ;-).
This is a limited scope bug, even for advanced users. Il you are not one of those advanced thinkerers, you have nothing to worry about. Doesn't mean Apple shouldn't patch this as soon as possible of course. Though Bash is an easy compile, so most of those advance users can do it themselves quickly.