Late Friday, Apple reassured Mac OS X users that most were protected by default, but nonetheless that it was working on a patch. The vulnerability in Bash, which stands for Bourne Again Shell, also affects Linux and UNIX systems.
Previous patches for the vulnerability, which surfaced last Wednesday, were rushed out to Linux distributions. Some had to be pulled back for being incomplete. Red Hat, which produced one of the first fixes and had early details about the flaw’s criticality, pushed out another fix for its flavors of Linux Friday morning.
Apple sent Threatpost a statement on Friday after reports of exploits in the wild were rampant. “With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services,” said an Apple representative. “We are working to quickly provide a software update for our advanced UNIX users.”
The update comes after reports of exploits targeting the vulnerability were cultivating bots for a distributed denial-of-service botnet. Researchers at AlienVault Labs, for example, captured two distinct samples in a honeypot, one a Linux both packed with information-stealing capabilities and a list of default username-password combinations, and the other a Perl bot that opens a backdoor and leaves compromised machines in line for additional commands and malware from a centralized server.
Security company Incapsula, meanwhile today, said it had detected and blocked more than 217,000 exploit attempts on more than 4,000 domains. Researchers said the attack rate had doubled over a four-day period to more than 2,000 per hour from 890 compromised IP addresses.
Most of the activity detected by Incapsula was scans for vulnerable systems and attempts to gain shell on a vulnerable server in order to hijack it.
Bash is the most common command-line shell program on Linux and UNIX machines. The vulnerability in Bash, also known as Shellshock, allows an attacker to remotely attach a malicious executable to an environment variable that is automatically executed when Bash is invoked.
“Lots of stuff calls Bash and I would bet you there are things in most environments that call Bash and you don’t even know they’re doing it,” Red Hat’s Josh Bressers said. “We did a ton of analysis on various things Red Hat ships that we decided were a high risk. It’s one of those situations where there are infinite variants you have to deal with. Heartbleed, for example, was easy to understand and all were affected the same way.”
“No two systems are affected the same way here. Upgrade Bash and don’t mess around,” Bressers said. “Even if you think you’re OK, you’re probably not.”
Bressers said the vulnerability allows an attacker to create environment variables that include malicious code before the system calls the Bash shell.