Industry News

Shellshock Bug Exploited in the Wild, Now Patched by Apple

Apple has patched the Shellshock vulnerabilities almost a week after the first disclosure, according to media reports. The company said a “vast majority” of OS X users weren’t at risk, as the systems were safe “by default and not exposed to remote exploits of [GNU Bash] unless users configure advanced UNIX services.”

Bitdefender’s analysis shows the typical attack scenario recalls a vulnerable script, together with passing the exploit code as the User-Agent string. Bitdefender advises Mac OS X users to update immediately.

Shellshock Bug Exploited in the Wild, Now Patched by AppleInitially identified and patched as a single issue (CVE-2014-6271), the Bash flaw also got CVE-2014-7169 added in the vulnerability queue, patched on Sept. 26. In the meantime, the Bash security flaws were actively exploited by attackers.

“It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables,” Linux vendor Red Hat said. “An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands.”

The company warned the initial patch continued to allow unauthenticated access to several applications and services, which could still be exploited by attackers.

Bash is a UNIX command shell built into OS X as well as other UNIX-based systems including Linux, Red Hat, Debian and Ubuntu.

About the author


Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story. She's the industry news guru, who'll always keep a close eye on the AV movers and shakers and report their deeds from a fresh new perspective. Proud mother of one, she covers parental control topics, with a view to valiantly cutting a safe path for children through the Internet thicket. She likes to let words and facts speak for themselves.