Apple has confirmed that its Mac OS X operating system is vulnerable to the newly reported Bash bug that experts estimate puts up to 500 million Unix-based computers at risk.
The Bash flaw is found on a thousand times as many computers than Heartbleed and could have potentially been exploited secretly in the 25 years since it was introduced.
Security firms have warned that attackers are probing systems for the weakness.
According to security firm AlienVault, at least two computer worms are actively exploiting the flaw to install malware that turns the systems into bots, which can be used for distributed denial of service (DDoS) attacks.
The US and UK Computer Emergency Response teams were quick to issue warnings about the bug, dubbed Shellshock, and urged affected organisations to install software security updates immediately.
At first, it was not clear if Apple’s Mac OS X was affected, but now the company has acknowledged that the operating system is vulnerable and a fix is on the way.
However, the company claims anyone using default Mac settings should be safe, reports The Verge.
"Most OS X users are not at risk to recently reported Bash vulnerabilities," Apple said in a statement.
More on Bash
- Bash Cheat Sheets
- What's the best command-line shell: PowerShell vs. CMD vs. Bash
- Bash commands for navigation, sharing, and find
- Comparing the advantages of zshell over bash shell in Linux
- Five things you didn't know Bash could do on Linux
- Shell game: Managing Bash command history
- Bash Script to Shutdown all your VMs
"With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced Unix services,” Apple said, adding that it is working on a software update.
However, Apple has not indicated which “advanced Unix services” could make Mac OS X users vulnerable to attack.
The biggest threat is to the enterprise because many web servers are run using the Apache system, software which includes the Bash component.
But, while most of the main Linux distributions have rushed to release updates, security experts have raised concerns about Unix-based embedded systems in internet of things (IoT) devices.
The software used in devices such as Wi-Fi routers commonly uses Bash scripts, but may not to be identified as a risk and are therefore unlikely to be patched.
“This is going to be one that’s with us for a long time, because it’s going to be in a lot of embedded systems that won’t get updated for a long time,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.
“The target computer has to be accessible, but there are a lot of ways that this turns accessibility into full local code execution. For example, one could easily write a scanner that would basically scan every Web site on the planet for vulnerable (Web) pages,” he told KrebsOnSecurity.
This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy
Tony Dyhouse, Trustworthy Security Initiative
Like Heartbleed, the Shellshock bug has highlighted the world’s reliance on open-source code produced and maintained by small teams of developers, often on a voluntary basis.
The discovery of the Heartbleed bug uncovered the fact that the OpenSSL cryptographic software was maintained by a small team operating on a shoestring budget.
Similarly, the responsibility for Bash lies with just one person - Chet Ramey, a developer based at Case Western Reserve University in Ohio, reports the BBC.
That such key parts of everyday technology are maintained in this way is a cause for concern, said Tony Dyhouse from the UK's Trustworthy Security Initiative.
"This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK,” he told the BBC.
"Ultimately, this is a lifecycle problem. It is here because people are making mistakes while writing code and making further mistakes when patching the original problems,” said Dyhouse.
Stephane Chazelas, the French security researcher who discovered Shellshock, said he was "awed and frightened" by what he found.
"I realised I had in my hands something that could allow one to hack into a great number of servers or worse," he told the ABC.
Chazelas said the problem with the Shellshock bug is that, because so many different types of software may interact with Bash, it is difficult to know all the possible ways the vulnerability can be exploited.