Apple says the so-called Shellshock bug does not impact the majority of Mac OS X users.
That may come as a bit of good news for Apple customers worried about the newly revealed vulnerability affecting GNU's Bourne Again Shell (Bash).
"The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities," an Apple spokesperson told Dark Reading. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users."
Apple did not specify what "advanced services" it meant. Eldon Sprickerhoff, chief security strategist at eSentire says they likely include "inbound services including ssh, web services (a.k.a. Apache)," and others. "My advice is, if you're running OS X as a web server, take it down until there's a patch or use something to block ShellShockish queries with a wrapper or something like Mod-security."
The vast majority of the attacks inbound on the Internet are through web servers, he says. "You use the web server to run a script that lets you exploit the bash bug. The web server is the vector to access the bug itself. So, if you have fewer open vectors available, you're less vulnerable. However, there's some indication that DHCP could be a vector for other systems. There's a whole new attack space to be analyzed here."
The Pluralsight author and security expert Troy Hunt wrote in a blog post that Bash is a *nix shell -- an interpreter that enables users to orchestrate commands on Unix and Linux systems, typically by connecting over SSH or Telnet. It can also operate as a parser for CGI scripts on a web server that would typically be seen running on Apache.
"There are other shells out there for Unix variants, the thing about Bash though is that it's the default shell for Linux and Mac OS X which are obviously extremely prevalent operating systems," he wrote. "That's a major factor in why this risk is so significant -- the ubiquity of Bash -- and it's being described as 'one of the most installed utilities on any Linux system.'"
The risk centers on "the ability to arbitrarily define environment variables within a Bash shell which specify a function definition," Hunt wrote. "The trouble begins when Bash continues to process shell commands after the function definition resulting in what we'd classify as a 'code injection attack.'"
Shortly after the bug was disclosed yesterday, the first attempts by criminals to take advantage of the issue began.
"The most recent attempts we see to gain control of web servers just create a new instance of Bash and redirect it to a remote server listening on a specific TCP port. This is also known as a reverse-connect-shell," Kaspersky Lab's Stefan Ortloff wrote in a blog post today. "In another ongoing attack the criminals are using a specially crafted HTTP-request to exploit the Bash vulnerability in order to install a Linux-backdoor on the victim's server. We're detecting the malware and its variants as Backdoor.Linux.Gafgyt."
The activity by attackers has led the Internet Storm Center to raise the 'InfoCon' status to Yellow.