Apple’s Shellshock patch for Macs is incomplete, says security researcher
Apple just released a patch for Shellshock, a bug that could give hackers access to Macintosh computers, but a security specialist says Apple fixed only two out of three security holes.
Apple has issued a fix for Shellshock, aka Bash, a bug that could let hackers gain access to some Macintosh computers. But security experts said Tuesday thatApple’s patch is incomplete and leaves one vulnerability open.
Shellshock affects most computers around the world running Unix and Linux, including Apple’s OS X operating-system software for the Mac. A quarter-century old, the Shellshock flaw allows potentially harmful code to run inside a bash shell, which is a common, simple interface for issuing commands to the computer. Potentially, the Shellshock bug could be used to access sensitive information or gain control of the computer.
Tod Beardsley, an engineering manager for security firm Rapid7, told CNET last week that Shellshock is extremely dangerous because it’s easy to exploit and can give hackers the ability to take over Macs. Some researchers have said it’s at least as dangerous as Heartbleed, a similar widespread vulnerability discovered earlier this year.
Apple fixed two vulnerabilities yesterday, but a third Shellshock vulnerability in OS X was discovered by another Rapid7 security researcher, Greg Wiseman. He says he ran a script to test for Bash/Shellshock vulnerabilities and found that even after installing Apple’s patch on OS X Mountain Lion (released in 2012) the operating system was still susceptible to another vulnerability. That vulnerability, CVE-2014-7186, is a bug that could allow for Denial of Service attacks, which would prevent a Mac from connecting to local networks or the Internet.
Apple didn’t respond to a request for comment.
The company said last week that only Mac owners who use advanced Unix settings are affected. “Bash, a Unix command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems,” said Apple. “With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced Unix services.”
Apple’s fix has yet to be added to its Software Update service for Macs, which pushes updates to the computers automatically. For now, Mac users need to go to Apple’s site and download the patches for OS X Lion (10.7), OS X Mountain Lion (10.8) and OS X Mavericks (10.9). If you want to know which version of OS X your Mac is running, go to the Apple Menu in the upper left corner and click “About this Mac.”