Shellshock: ‘Larger scale attack’ on its way, warn securo-bods

Apple FINALLY patches the ‘don’t worry’ Bash Shellshock vuln

Apple Releases Patches for Shellshock Bug

Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here’s How to Patch OS X
— i upgraded from v.3.2.51(1) to v.3.2.53(1) according to their directions for pre-mavericks computers, and, according to the test i posted last week the system is no longer “vulnerable”, but, because of the fact that it doesn’t actually give a response other than “this is a test”, i can’t tell for sure whether or not they’ve actually patched shellshock, or whether they have just turned off the error message… it would be really nice if i could just upgrade to the current GNU release, which is v.4.3… this is why i am no longer a mac-head… 😐

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7


Firms BASH Bash bug with new round of Shellshock patches

Cisco splats Bash bug in busy swatting season

i’ve run three rounds of security updates in the past three days, and bash was updated in every one of ’em… eventually they’re gonna fix it for real… maybe i’ll just revert to using csh… or zsh (which was written by paul falstad, my former manager and coworker at openwave) 😐



The ‘Shellshock’ Bash vulnerability and what it means for OS X

Apple: Most OS X users safe from ‘Shellshock’ exploit, patch coming quickly for advanced Unix users — which, of course, is a blatant falsehood… all macs are as much at risk as -x was, and -x had a patch yesterday… this is why i am no longer a mac-head… 😐

Apple working on “Shellshock” fix, says most users not at risk [Updated] — which includes the following information:

Mac OS X uses version 3.2.51.(1) of GNU bash, released in 2007; the current GNU release of the shell is bash 4.3. However, the current version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms, even dropping the open-source Windows networking service Samba from OS X server in 2011 because Samba had shifted to a GPLv3 license. Therefore, although patches for the vulnerability have now been pushed out for most open-source operating systems, Apple executives may feel they have to have their own developers make modifications to the bash code.

this is the explanation why i haven’t been able to get SAMBA to work on my mac… grumble, mutter… 😐

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole

shellshock update: linux has been patched, mac not so much…

‘Shellshock’ Bug Spells Trouble for Web Security
by Brian Krebs

The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems β€” particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.

The problem resides with a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests.

According to several security firms, attackers are already probing systems for the weakness, and that at least two computer worms are actively exploiting the flaw to install malware. Jamie Blasco, labs director at AlienVault, has been running a honeypot on the vulnerability since yesterday to emulate a vulnerable system.

“With the honeypot, we found several machines trying to exploit the Bash vulnerability,” Blasco said. “The majority of them are only probing to check if systems are vulnerable. On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks.”

The vulnerability does not impact Microsoft Windows users (ed. for a change), but there are patches available for Linux and Unix systems. In addition, Mac users are likely vulnerable, although there is no official patch for this flaw from Apple yet. I’ll update this post if we see any patches from Apple.

The U.S.-CERT’s advisory includes a simple command line script that Mac users can run to test for the vulnerability. To check your system from a command line, type or cut and paste this text:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

US-CERT has a list of operating systems that are vulnerable. Red Hat and several other Linux distributions have released fixes for the bug, but according to US-CERT the patch has an issue that prevents it from fully addressing the problem.

The Shellshock bug is being compared to Heartbleed because it affects so many systems; determining which are vulnerable and developing and deploying fixes to them is likely to take time. However, unlike Heartbleed, which only allows attackers to read sensitive information from vulnerable Web servers, Shellshock potentially lets attackers take control over exposed systems.

“This is going to be one that’s with us for a long time, because it’s going to be in a lot of embedded systems that won’t get updated for a long time,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley. “The target computer has to be accessible, but there are a lot of ways that this turns accessibility into full local code execution. For example, could easily write a scanner that would basically scan every Web site on the planet for vulnerable (Web) pages.”

Stay tuned. This one could get interesting very soon.