Apple's Shellshock patch for Macs is incomplete, says security researcher

Apple just released a patch for Shellshock, a bug that could give hackers access to Macintosh computers, but a security specialist says Apple fixed only two out of three security holes.

appcybersecurity300x225.jpg
CNET

Apple has issued a fix for Shellshock, aka Bash, a bug that could let hackers gain access to some Macintosh computers. But security experts said Tuesday that Apple's patch is incomplete and leaves one vulnerability open.

Shellshock affects most computers around the world running Unix and Linux, including Apple's OS X operating-system software for the Mac. A quarter-century old, the Shellshock flaw allows potentially harmful code to run inside a bash shell, which is a common, simple interface for issuing commands to the computer. Potentially, the Shellshock bug could be used to access sensitive information or gain control of the computer.

Tod Beardsley, an engineering manager for security firm Rapid7, told CNET last week that Shellshock is extremely dangerous because it's easy to exploit and can give hackers the ability to take over Macs. Some researchers have said it's at least as dangerous as Heartbleed, a similar widespread vulnerability discovered earlier this year.

osx-shellshock-bashcheck.png
Rapid7 security researcher Greg Wiseman's work showing that OS X Mountain Lion is open to a third Shellshock vulnerability. Screenshot by Seth Rosenblatt/CNET

Apple fixed two vulnerabilities yesterday, but a third Shellshock vulnerability in OS X was discovered by another Rapid7 security researcher, Greg Wiseman. He says he ran a script to test for Bash/Shellshock vulnerabilities and found that even after installing Apple's patch on OS X Mountain Lion (released in 2012) the operating system was still susceptible to another vulnerability. That vulnerability, CVE-2014-7186, is a bug that could allow for Denial of Service attacks, which would prevent a Mac from connecting to local networks or the Internet.

Apple didn't respond to a request for comment.

The company said last week that only Mac owners who use advanced Unix settings are affected. "Bash, a Unix command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems," said Apple. "With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced Unix services."

Apple issued its patch Monday afternoon, five days after first word of the bug began to spread. Apple's patch addressed two Shellshock vulnerabilities, known as CVE-2014-7169 and CVE-2014-6271.

Apple's fix has yet to be added to its Software Update service for Macs, which pushes updates to the computers automatically. For now, Mac users need to go to Apple's site and download the patches for OS X Lion (10.7), OS X Mountain Lion (10.8) and OS X Mavericks (10.9). If you want to know which version of OS X your Mac is running, go to the Apple Menu in the upper left corner and click "About this Mac."

Featured Video