Apple: Most Mac Users Safe From ‘Shellshock’
Most Apple Mac owners can breathe easy following news of the Shellshock bug.
The flaw impacts Bash, a widely used command interpreter also implemented by the Mac operating system. If exploited, hackers can gain complete control over a targeted system.
But Apple users have nothing to worry about, a company spokesman told iMore in a statement.
“The vast majority of OS X users are not as risk to recently reported bash vulnerabilities,” Cupertino said in a statement published by iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed by remote exploits to bash unless users configure advanced UNIX services.”
Apple said it is working to provide a software update for those advanced users.
According to the Akamai administrator who first disclosed the bug, the vulnerability is present in most versions of Bash, from 1.13 to 4.3, and is based on how Bash handles environment variables.
Security experts, including Errata Security’s Robert Graham, are already comparing Shellshock to this year’s Heartbleed bug, which set the tech sector on fire after its discovery in April.
But, unlike Heartbleed, which affected only a specific version of OpenSSL, the Bash-based flaw has been creeping into old devices for more than two decades.
Despite the Web-based panic, there is actually no pressing need to fix the flaw, according to Graham, who said primary servers are probably not vulnerable. But everything else probably is.
Users are encouraged to scan the network for things like Telnet, FTP, and old versions of Apache.
“Anything that responds is probably an old device needing a bash patch,” Graham said this week. “And, since most of them can’t be patched, you are likely screwed.”