14 DAY TRIAL // A “bash” exploit that reportedly affects UNIX-based OSes will be patched shortly, according to Apple. Security experts warn that the flaw is as major as Heartbleed, a widely-reported vulnerability found earlier this year in the OpenSSL architecture.
The exploit in question, dubbed Shellshock, is reportedly easy to deploy and quite dangerous too. However, few people are affected by it. Full scoop below.
As big as Heartbleed
As soon as Shellshock hit the news, a security researcher going by the name of Robert Graham weighed in on his blog that the Bash exploit was “as big as Heartbleed.” He offers not only his personal take, but a thorough analysis of the situation. And apparently he’s right.
An excerpt from his write-up says, “Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.”
Graham adds, “Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.”
Power users are the only ones affected
However, Apple has a different approach to describing the flaw. While they admit it’s there, the Cupertino people also stress that there are very few systems in the wild that are actually susceptible to attacks via Shellshock.
Apple tells iMore that “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
In other words, only the really savvy types are exposed to this vulnerability. And those who are able to configure advanced UNIX services can also use their skills to protect themselves against attacks.
Nevertheless, Apple promises to take matters into its own hands and deliver a patch. Unfortunately, the company has not specified a timeframe for the release of this update.
Earlier this month, OS X customers were handed software update 10.9.5, which improved the reliability of VPN connections that use USB smart cards for authentication, improved file access on an SMB server, and bundled a more secure version of the Safari web browser (Safari 7.0.6).