The good news. Apple released an update to address the Shellshock vulnerability that I have written about. That sounds good. But there’s if you start looking at the details, here’s what you’ll find:
- The update that I linked to is for Mavericks. Apple also released updates for both OS X Lion and OS X Mountain Lion. If you have an earlier version of Mac OS X than either of those, there’s no update for you. You should update if you can to a newer version of OS X.
- After I applied to my MacBook Pro running OS X 10.9.5, opened up terminal and ran this command: “bash –version”. The result shows 3.2.53(1). Here’s the problem: CVE-2014-6271, CVE-2014-7169 list Bash versions through 4.3 as vulnerable. So Mac users appear to be still at risk. Now Apple hasn’t posted any details on this update at this link. Until they do, this is an open question.
- This update as I type this isn’t being distributed via Software Update which would deliver it to every Mac user. That’s a #fail as many users will never know that this update exists and thus will never get it and be protected.
So has the Shellshock vulnerability been addressed? Maybe. We’ll need to get more details to know for sure. More details as they come.
UPDATE: Apple posted this document and it says this:
In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix “__BASH_FUNC<” and suffix “>()” to prevent unintended function passing via HTTP headers.
This is a method of addressing this issue that seems to work as many LINUX distributions are using this method to solve this issue. As a result, I’d strongly suggest that everyone download and install this patch.
Related
This entry was posted on September 29, 2014 at 8:49 pm and is filed under Commentary with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Apple Addresses Shellshock Vulnerability….. Maybe [UPDATED]
The good news. Apple released an update to address the Shellshock vulnerability that I have written about. That sounds good. But there’s if you start looking at the details, here’s what you’ll find:
So has the Shellshock vulnerability been addressed? Maybe. We’ll need to get more details to know for sure. More details as they come.
UPDATE: Apple posted this document and it says this:
In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix “__BASH_FUNC<” and suffix “>()” to prevent unintended function passing via HTTP headers.
This is a method of addressing this issue that seems to work as many LINUX distributions are using this method to solve this issue. As a result, I’d strongly suggest that everyone download and install this patch.
Share this:
Like this:
Related
This entry was posted on September 29, 2014 at 8:49 pm and is filed under Commentary with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.