No one is ever excited when a new software vulnerability is revealed, but the disclosure this week of a major bug in a common Unix tool set off an earthquake in the security community. Not only is nearly every version of Unix vulnerable, including Linux and OS X, but most of the initial patches are not completely effective at blocking the hole. It’s a near-worst-case scenario where we have a piece of software on nearly every non-Windows server on the Internet — and plenty of personal computers thanks to Apple’s market growth — that is vulnerable to multiple kinds of remote attacks, all capable of completely taking over the system, with no way to stop it completely.
Despite the severity, a combination of Apple’s design decisions and how we use Macs dramatically reduces your risk, but you still need to be careful and be ready to install Apple’s next security update.
Shellshock — Bash is one of the most fundamental tools on Unix-based systems, including Linux and BSD, a version of which is at the heart of OS X. By default, when you launch Terminal, Bash is the program that provides the command-line interface. It has been around for decades and is by far the most popular interactive shell.
You don’t need to know the gory details (read Troy Hunt’s write-up if you want them), but in short, a researcher discovered a vulnerability in Bash that enables an attacker to do pretty much whatever he wants. It involves manipulating environment variables sent to the shell when it opens a session. This is clearly a problem if someone gains direct or remote access to your computer, but Bash is so deeply embedded into Unix systems that the vulnerability has some unusual effects.
Many programs hook into a Unix system’s default shell to issue command-line instructions because it’s a convenient way to interact with the computer. It isn’t the safest approach, so those commands are often limited to a low-privilege user account or use some other safety mechanism. Unfortunately, that mechanism rarely involves sanitizing commands sent for bad data, something programmers know they should do, but which can be hard to get right.
Thus we find that many installations of the Apache Web server are vulnerable, as is the DHCP software many Unix systems use to obtain their IP addresses. And those two merely scratch the surface. Passing commands through Bash is such a common technique that we don’t know all the ways it could be exploited, or how easy the exploitation might be. In the DHCP example, simply connecting to a hostile network (wired or wireless) could give an attacker control of your computer. And worst of all, this particular exploit is insanely easy to use — all an attacker needs to do is send a bit of the right text to a receptive app.
For example, security researcher (and friend) Rob Graham ran a partial scan of the Internet and determined Shellshock could be used to create a new Internet worm.
Once Bash is fully patched, the vulnerability should be blocked, but it is also possible there are strange variations that haven’t been found yet. Worse, the sheer number of computers that need to be patched is nearly incomprehensible. Bash is even found in odd places like network devices, appliances, industrial control system components (think your power company), and home automation. On the positive side, not everything is exploitable. It takes a combination of the vulnerable version of Bash and some way to send it arbitrary commands that can be executed in an interesting way. But, to bring you back down again, we don’t know what all those combinations are.
We will be dealing with Shellshock for years.
Why Most Macs Are Safe — As I noted before, all recent versions of OS X have Bash installed as the default shell, and are just as vulnerable as any other Unix-based operating system. However, the default configurations of most Macs appear to block the highest-risk methods of exploiting the Shellshock bug. Unless you set up your Mac as a Web server, or enable some other remote software that could link to Bash, you should be safe. That said, anyone running a Mac server should look into recompiling Bash.
When you’re on your home network, behind NAT (in which your router gets a single IP address from your ISP, and then distributes multiple internal IP addresses to all the devices that connect to it), you’re likely safe. However, when you’re out and about on networks of unknown safety, I recommend turning on OS X’s built-in firewall (System Preferences > Security & Privacy > Firewall > Turn On Firewall). Then click the Firewall Options button and select Block All Incoming Connections. That might be overkill, but it probably won’t affect anything negatively as you use your Mac (it’s how my MacBook Pro is always configured), and it’s easily toggled off and on.
The main vector I was extremely worried about was an attack via DHCP, which could expose your Mac if all you did was connect to a network. To test this concern, I set up my own hostile DHCP server and tried the attack, but to no avail. I couldn’t compromise my Mac, and after asking on Twitter, I found out that Apple uses its own DHCP client, which is safer.
Since we don’t yet understand the full implications of the Bash vulnerability, keep your eyes out for a security update from Apple rather than attempting to patch Bash willy-nilly. (If you run older versions of OS X that no longer receive security updates, you’ll want to recompile your version of Bash, since this vulnerability dates back decades.) But the rest of us should wait for an official update, since the risk to everyday Mac users is low. Apple has already notified the media (including us) that they are working on the problem, and since most of the other fixes are incomplete, I’m okay waiting a little longer.