Apple is trying to soothe users who are anxious about Mac OS X’s exposure to the Bash vulnerability.
The company said in a statement to Threatpost that most Apple users are not at risk, and reports have it that Apple is preparing to release a patch.
“With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services,” said an Apple representative. “We are working to quickly provide a software update for our advanced UNIX users.”
With multiple exploits in the wild and the potential for a DDoS botnet made up of machines compromised because of the Bash vulnerability a growing reality, OS X users may indeed have a little less exposure than their Linux and UNIX brethren.
Rich Mogull, analyst and founder of Securosis, said the Bash bug affects OS X in the same way it does Linux and UNIX machines, but since most OS X deployments are not on webservers, default installations of the operating system are at less of a risk. He also cautions users to fight the temptation to apply homespun patches for Apple machines.
“You can manually compile a patch, but it’s best to wait for Apple,” Mogull said. “I know they are on it, but being careful since everyone else has messed up their patches.”
Indeed, early patches from the major Linux distributions—including Red Hat, Ubuntu and Debian, among others, were deemed incomplete and required some reworking.
Bash is the default command-line shell in Linux, UNIX and OS X, and it’s called by a number of functions in those systems, even some that are not in plain sight. That set of circumstances can make comprehensive patching of the Bash bug a challenge.
The vulnerability is relatively simple to exploit and allows a hacker to remotely attach malicious code to an environment variable that is executed when Bash is invoked. The problem is that millions of web servers, embedded devices, home routers and even Linux-based industrial control systems and SCADA equipment invoke Bash calls. The most common, however, are in web servers including Apache servers using mod_cgi or mod_cgid, or Git deployments over SSH.