Apple: OS X Safe By Default Against Bash Vulnerability

Author: Michael Mimoso
minute read

Apple said it is working on a patch for OS X to counter the Bash vulnerability, but in the meantime is telling users the OS is safe by default.

Apple is trying to soothe users who are anxious about Mac OS X’s exposure to the Bash vulnerability.

The company said in a statement to Threatpost that most Apple users are not at risk, and reports have it that Apple is preparing to release a patch.

“With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services,” said an Apple representative. “We are working to quickly provide a software update for our advanced UNIX users.”

With multiple exploits in the wild and the potential for a DDoS botnet made up of machines compromised because of the Bash vulnerability a growing reality, OS X users may indeed have a little less exposure than their Linux and UNIX brethren.

Rich Mogull, analyst and founder of Securosis, said the Bash bug affects OS X in the same way it does Linux and UNIX machines, but since most OS X deployments are not on webservers, default installations of the operating system are at less of a risk. He also cautions users to fight the temptation to apply homespun patches for Apple machines.

“You can manually compile a patch, but it’s best to wait for Apple,” Mogull said. “I know they are on it, but being careful since everyone else has messed up their patches.”

Indeed, early patches from the major Linux distributions—including Red Hat, Ubuntu and Debian, among others, were deemed incomplete and required some reworking.

Bash is the default command-line shell in Linux, UNIX and OS X, and it’s called by a number of functions in those systems, even some that are not in plain sight. That set of circumstances can make comprehensive patching of the Bash bug a challenge.

The vulnerability is relatively simple to exploit and allows a hacker to remotely attach malicious code to an environment variable that is executed when Bash is invoked. The problem is that millions of web servers, embedded devices, home routers and even Linux-based industrial control systems and SCADA equipment invoke Bash calls. The most common, however, are in web servers including Apache servers using mod_cgi or mod_cgid, or Git deployments over SSH.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.