The majority Mac users safe from Bash Bug while Oracle warns its customers
Pierluigi Paganini
September 28, 2014
Apple says users of its OS X are “safe by default” from the Bash Bug, meanwhile Oracle warns its customers that 32 products are affected by the flaw.
The Bash Bug exploit reportedly affects most Linux and Unix-based OSs, including OS X.
In contrast, Apple declares the vast majority of Mac computers are not at risk from the
Bash Bug, aka the “Shellshock” bug, the company has issued a public statement in response to the critical security issue.
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” states the Apple public statement.”Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.“
The majority of Apple OS X
users is considered to be safe so long as they haven’t configured any advanced access to their systems, anyway the company announced the distribution of an OS X update to fix the
Bash Bug.
This means that Apple OS X users have to disable any advanced UNIX options waiting for the patch will be issued.
According security
experts it ‘s very likely that the vulnerability has already been exploited, a system administrator using the @yinettesys Twitter account published a
GitHub gist post reporting on
a case in which threat actors exploited the Bash Bug flaw to launch
kernel exploit on machine coordinating the attack with a C&C server hidden behind the Cloudflare content delivery network.
Another IT giant is menaced by the Bash Bug flaw, Oracle has also confirmed that over 32 of its products are affected by the “Shellshock” vulnerability. The company warned its users to wait a bit longer for the complete patch, by issuing a security alert regarding the Bash bug on Friday.
“Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability,” states the Oracle Security Alert for CVE-2014-7169.
“The fixes that are available for immediate application by customers are listed in the Patch Availability Table. This Security Alert will be updated when fixes are available for additional affected Oracle products without sending additional emails to customers. Customers should check this page for updates.
Due to the severity, public disclosure, and reports of active exploitation of CVE-2014-7169, Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.”
On the Internet is also available an unofficial patch that fixes the Bash Bug, in a message sent to the Open Source Software Security (oss–sec) mailing list, the maintainer of Bash, Chet Ramey addressed the vulnerability and issued the patch.
Pierluigi Paganini
(Security Affairs – BashBug, Oracle, Apple)