Apple says most customers not vulnerable to 'shellshock,' patch coming for advanced users
AppleInsider Staff
Apple on Friday sought to calm OS X users who feared their computers may be at risk from a widespread vulnerability in popular UNIX command interpreter bash — which is included in Apple's UNIX-based desktop operating system — saying that most consumers are not at risk, while advanced users will receive a patch in the coming days.
"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson said in a statement to iMore. "With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services," the spokesperson added, before noting that Apple is "working to quickly provide a software update for our advanced UNIX users."
The bug, nicknamed "shellshock" by members of the computer security community, is thought to be present in every version of bash since its introduction in 1989. By passing specially-crafted commands to computers running vulnerable releases of bash, an attacker could — without authentication — Â remotely execute arbitrary commands that could modify systems or exfiltrate data.
Because bash is present on nearly every Linux and UNIX system that has shipped in last 20 years, the potential for damage is immense if machines are not quickly patched. Fortunately for most OS X users, their computers are rarely directly exposed to the internet, and even more rarely are they configured to expose potentially vulnerable endpoints — like HTTP servers — Â to the network.
Advanced users who have OS X machines in a situation where they may be remotely exploited, such as systems administrators with internet-facing OS X servers, can mitigate the issue by recompiling bash with the official patches from GNU until Apple issues its own update.
William Gallagher
Wesley Hilliard
Andrew Orr
Amber Neely
