MacSTAC was founded on April 1, 1978 as an Apple II MUG. We are a community group with members from all walks of life, careers and levels of ability. We welcome all Mac users to improve their knowledge and, in turn, share their Mac knowledge with others.

Friday, September 26, 2014

TidBITS: Macs Mostly Safe from Bash Vulnerability, but Be Ready to Patch

Macs Mostly Safe from Bash Vulnerability, but Be Ready to Patch

No one is ever excited when a new software vulnerability goes public, but the disclosure this week of a major bug in a common Unix tool set of an earthquake in the security community. Not only was nearly every version of Unix vulnerable, including Linux and OS X, but most of the initial patches are not completely effective at blocking the hole. It's a near-worst-case scenario where we have a piece of software on nearly every non-Windows server on the Internet — and plenty of personal computers (thanks to Apple's market growth) — that is vulnerable to multiple kinds of remote attacks, all capable of completely taking over the system, with no way to completely stop it.

Despite the severity, a combination of Apple's design decisions and how we use Macs dramatically reduces the risk, but you still need to be careful and ready to patch.

Shellshock -- Bash is one of the most fundamental tools available on Unix-based systems, including Linux and BSD (a version of which is at the heart of your Mac). If you launch Terminal, unless you are an advanced user that changed your default shell, Bash is the program you use for the command-line interface. It's been around for decades, and it is by far the most popular interactive shell.

You don't need to know the details (read Troy Hunt's writeup if you want them), but a researcher discovered a vulnerability in Bash that allows an attacker to do pretty much whatever he wants. It involves manipulating the environment variables sent to the shell when it opens a session. Now clearly this is a problem if you provide someone direct or remote access to your computer, but it turns out this vulnerability is so deeply embedded in Unix-based systems that it has some unusual effects.

Many programs hook into your system's default shell to issue command-line instructions. It's a very convenient way to interact with the computer. It isn't the safest choice in the world, so those commands are often limited to a low-privilege user account or use some other safety mechanism. Unfortunately, that mechanism rarely involves sanitizing the command sent for bad data. (One of those things programmers know they should do, but can be hard to get right).

Thus we find that many installations of the Apache web server are vulnerable. As is the DHCP software many Unix systems use to obtain their IP addresses. And that's merely scratching the surface. This is such a common technique we don't quite know all the ways it could be exploited. In the DHCP example, simply connecting to a hostile network (wired or wireless) could give an attacker control of your computer. And worst of all, this particular exploit is insanely easy to use (just send a little bit of the right text to the proper software field).

For example, security researcher (and friend) Rob Graham ran a partial scan of the Internet and determined this could be used to create a new Internet worm.

Once a complete patch is released it should completely block the vulnerability, but it is also possible there are strange variations we haven't been found yet. And to top it off, the sheer number of servers that need to be patched is nearly incomprehensible. Bash is even found in odd places like appliances, industrial control system components (think your power company), and even home automation. On the positive side, not everything is exploitable. It takes a combination of the vulnerable version of Bash and some way to send it arbitrary commands. But, to bring you back down again, we don't know what all those combinations are.

We will be dealing with this for years.

Why Most Macs are Safe -- Macs have Bash, and are just as vulnerable as anything else. However, the default configurations of most Macs appear to block the highest-risk methods of exploiting the bug. Unless you set up your Mac as a web server, or enable some other remote software that could link to Bash, you are safe. This isn't a problem for desktop and laptop users, but anyone running a Mac server should change out to a non-vulnerable default shell.

To be safe, I suggest most of you turn on your firewall (System Preferences > Security & Privacy > Firewall > Turn On Firewall) and set it to block all incoming connections (System Preferences > Security & Privacy > Firewall > Firewall Options) if you aren't on your home network. That might be more than you need, but it probably won't affect anything negatively as you use your Mac (it's how my Macbook Pro is always configured).

The one vector I was extremely worried about was an attack via DHCP. That could expose you if you connect to a network. I set up my own hostile DHCP server and tested the attack, to no avail. I couldn't compromise my Mac, and after asking on Twitter found out Apple uses its own, safer, version of a DHCP client.

Since we don't completely understand the full implications of the vulnerability, keep your eyes out for a system update. This vulnerability also may go back decades, so if you run an out-of-date version of OS X, you will want to recompile your version of Bash since Apple updates may not go back that far. But the rest of us should wait for an official update, since our risk is extremely low. Apple has already notified the media (including us) that they are working on it, and considering the fact most of the other fixes are broken, I'm okay waiting a little longer.

No comments:



Blog Archive