If you’re a Mac user, you may have felt wrongfully left out of all the Shellshock kerfuffle over the past few days.
A lot of the talk about the bug has been Linux, Linux, Linux on servers, servers, servers.
Web servers are particularly at risk, because they often handle special functions such as searches using command scripts that are fed with data from external web requests.
For all you know, when you send a web request like this:
http://example.net/search?term=banana
you might very well be telling the server to run a special command in the background, such as:
/usr/local/bin/searchfor –database=website.index \
–searchword=banana
That command might be launched by the server using Bash.
And the server might set some helpful environment variables for the searchfor Bash script to have handy, such as:
USER_AGENT
GET_REQUEST
HTTP_REFERER
All of these would be populated with data sent in your original request.
So you could control not only when to run Bash, but also what was contained in some of its environment variables when it ran.
That’s most of what you need to exploit Shellshock.
So, with many web servers running Linux, and many Linux servers running Bash, it’s understandable that a lot of the Shellshock buzz has concentrated on this combination.
What about OS X?
Of course, Macs famously use Bash as their default command shell.
Yet most Macs aren’t running Linux, and aren’t servers.
So what about some Shellshock excitement for OS X users?
Here it is: Apple has pushed out an update entitled OS X bash Update 1.0.
So far, at least [2014-09-29T23:55Z], it doesn’t seem to be available via the Software Update… option in the Apple menu, so you will have to get it yourself:
When you’ve done the download, you’ll have a DMG (disk image) file called BashUpdateXxxx.dmg, where Xxxx is your operating system name, e.g. Mavericks:
Open the DMG and you will find a .pkg (installation package) file:
Double click it, give it an administrator password so it can change key system files, and you are done.
You can check that the update worked by opening a Terminal window and issuing the bash -version command:
See?
Geeky bugfixing fun isn’t just for Linux acolytes.
Via: sophos
Leave a Reply