Pierluigi Paganini in Security

The majority Mac users safe from Bash Bug while Oracle warns its customers

Apple says users of its OS X are “safe by default” from the Bash Bug, meanwhile Oracle warns its customers that 32 products are affected by the flaw.

The recently discovered Bash Bug vulnerability is menacing billions of devices that could be exposed to cyber attacks which exploit the flaw, the situation appears to be critical for those systems not easy to update and anyway exposed on the internet, including IoT and SCADA devices.

The Bash Bug exploit reportedly affects most Linux and Unix-based OSs, including OS X.

In contrast, Apple declares the vast majority of Mac computers are not at risk from the Bash Bug, aka the “Shellshock” bug, the company has issued a public statement in response to the critical security issue.

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” states the Apple public statement.”Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.“

The majority of Apple OS X users is considered to be safe so long as they haven’t configured any advanced access to their systems, anyway the company announced the distribution of an OS X update to fix the Bash Bug.

This means that Apple OS X users have to disable any advanced UNIX options waiting for the patch will be issued.

According security experts it ‘s very likely that the vulnerability has already been exploited, a system administrator using the @yinettesys Twitter account published a GitHub gist post reporting on a case in which threat actors exploited the Bash Bug flaw to launch kernel exploit on machine coordinating the attack with a C&C server hidden behind the Cloudflare content delivery network.

Another IT giant is menaced by the Bash Bug flaw, Oracle has also confirmed that over 32 of its products are affected by the “Shellshock” vulnerability. The company warned its users to wait a bit longer for the complete patch, by issuing a security alert regarding the Bash bug on Friday.

“Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability,” states the Oracle Security Alert for CVE-2014-7169.

“The fixes that are available for immediate application by customers are listed in the Patch Availability Table. This Security Alert will be updated when fixes are available for additional affected Oracle products without sending additional emails to customers. Customers should check this page for updates.

Due to the severity, public disclosure, and reports of active exploitation of CVE-2014-7169, Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.”

On the Internet is also available an unofficial patch that fixes the Bash Bug, in a message sent to the Open Source Software Security (oss–sec) mailing list, the maintainer of Bash, Chet Ramey addressed the vulnerability and issued the patch.

Pierluigi Paganini

(Security Affairs – BashBug, Oracle, Apple)

Next Read: ShellShock could be used to hack VoIP systems »

Bash BugCVE-2014-7169HackingLINUXOracleRedHatShellshockUnix

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.