Apple Says OS X Is Safe From Shellshock….. I However Am Skeptical
Today, iMore posted a story on a response that they got from Apple in regards to Shellshock, the new exploit that has got the attention of the planet because of how pervasive it is. Here’s what Apple said:
The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.
You know, I’m not so sure about that. I’m going to get nerdy to explain this because I really don’t have a choice, but I will do my best to make this as accessible as possible.
In theory the average OS X user should not have to worry about this exploit. You’d have to do something like allow remote logins via other computers using a protocol called SSH to be at risk. In other words, your Mac has to be exposed to the Internet. So in that regard, Apple is correct. Where I disagree with them is that some applications that the average user has on their Mac may be listening on an open port that allows what are called RPC calls to be made that end up running shell commands. Transmission which is a popular BitTorrent client for OS X does RPC calls. So does PPCoin which is a BitCoin application for OS X. Thus it’s very easy to be running something inadvertently in the course of running an application that does something to make you vulnerable to this exploit.
So I hope that Apple fixes this quickly and makes this a moot point. But in the meantime, you may want to protect yourself accordingly.
September 29, 2014 at 3:25 pm
[…] apple-says-os-x-is-safe-from-shellshock-i-however-am-skeptical which helps to provide […]