A while back, when the world was made aware of the Heartbleed bug, there was hue and cry all over, mainly because the bug was discovered in a system that was widely used and implemented across the Internet. Today, a new threat has surfaced that’s perhaps bigger than Heartbleed. Labeled the Bash bug – or Shellshock – the new vulnerability affects almost all Linux and Unix based systems, as the vulnerability exists in the Bash command that’s widely implemented in Unix systems. The good news, at least for Mac OS X users, is that Apple is actively working to patch it and release a fix that can put users’ minds at ease.
In a statement provided to iMore, Apple claimed,
The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.
The bug, which was discovered by a security team at Red Hat, resides in the Bash shell of Linux and Unix based operating systems, and when exploited properly, allows a remote attacker to gain full control of the target system. Essentially, it allows execution of unauthorized remote code that can further leave the target computer exposed to an endlessly wider variety of attacks. Also, akin to Heartbleed, it appears that this bug has existed in the Linux and Unix systems for a long long time, and had it not been discovered now, may have remained dormant for years to come.
Apple’s statement around the Bash bug can be taken as a good indicator, with the company acknowledging that it’s a serious threat that needs to be fixed. That said, Apple hasn’t really clarified which advanced Unix services can cause this exploit to become dangerous. Still, from general usage patterns, it appears that most casual users are still safe, although we’d urge Apple to speed up on releasing the fix. Just having a vulnerability like this lying around in your machine is a cause for discomfort enough.
It’s also noteworthy that in light of this discovery, Red Hat and Fedora have already released patches to fix the Bash bug. However, security experts believe that these might be temporary fixes, and a permanent solution might require more time and effort.