Heartbleed, move over. There’s a new bug in town, and this time it’s also affecting Mac and Linux computers. It’s called Shellshock (its original official title is CVE-2014-6271), and it’s currently got a 10 out of 10 severity rating over at the National Cyber Awareness System. While some updates have been issued to fix this bug, they were incomplete, and your system is probably still vulnerable, as it has been for the last probably 20 years.
Bash is a command-line shell used in many Linux- and Unix-based operating systems, including Mac OS X. If bash is the default system shell on your computer, it can be used by remote hackers for network-based attacks. With a simple script, a hacker can launch programs or enable features on your computer without any passwords needed and without your knowledge. They could access your files, copy confidential information, delete data, run programs, and more.
While the likelihood of your personal Mac being targeted by an attack is relatively small, it’s still a big issue that will hopefully get a real and working patch soon. Until then, there are a few things you can do.
The Test Command
In a Terminal window, type in the following command into the shell, followed by the Enter key. Terminal can be found in Utilities in your Applications folders, or via a quick Spotlight search.
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
The Good Result
If your system is not vulnerable to the Shellshock bug, it will return something similar to the below output.
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
The Bad Result
If your system is indeed infected by Shellshock, you’ll see the following instead.
vulnerable
this is a test
Is There an Update Yet?
Many Linux distros have already released patches for Shellshock (though they were mostly incomplete), but Mac OS X has not received anything yet, and Apple hasn’t even commented on the issue. There was a recent 10.9.5 update for Mavericks, but it has nothing pertaining to this issue.
If you’re worried, though, there is a way to manually update your GNU bash version to a more secure one, thanks to some users over at StackExchange.
Check Your Current Bash Version
To see what version bash you have installed on your Mac, in a Terminal window, enter the following command (followed by the Enter key) into the shell.
bash –version
If you get GNU bash, version 3.2.51(1)-release, then you’ll want to manually update to the newest version of bash 3.2, which is 3.2.52.
Note: There are newer versions of bash out there, but Mac OS X runs off the 3.2 branch. If you’re using Linux, you’ll want to make sure the patch you download matches the version of bash you’re using. The latest patches for all major versions of bash (including 3.0, 3.1, 3.2, 4.0, 4.1, 4.2, and 4.3) can be found here.
Manually Updating Bash – Initial Requirements
You can manually compile the newest bash version (3.2.52) using the below instructions, but you have to have Apple’s Xcode installed on your Mac for this to work. If you don’t have it, you can download Xcode for free from the Mac App Store. There’s still an open question on whether this is patch is effective, but we will be updating this guide to the latest version as soon as we know more.
If you don’t want to update bash, there is a workaround provided by Red Hat, but it hasn’t been tested fully, so I wouldn’t recommend it.
Step 1: Download & Compile the Patch
Once you’ve confirmed you have Xcode installed, open Terminal again and enter the following commands. Each bullet point is one command, so make sure you copy the full line in each bullet point (minus the bullet, of course).
- mkdir bash-fix
- cd bash-fix
- curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf –
- cd bash-92/bash-3.2
- curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
- cd ..
- xcodebuild
This process may take a while, and you’ll see a lot of text appearing in the Terminal window. It’s just Xcode compiling the new version of bash on your system. Once it’s done, it’ll say “BUILD SUCCEEDED” and you’ll see a Terminal prompt again.
Step 2: Back Up Your Current Version (Just in Case)
Just in case something goes wrong, it’s a good idea to back up your current version of bash. You can do so by entering the following two commands in Terminal.
You may be prompted to enter your admin password. If so, use the same password you use to log in to your Mac. You will not see your password in Terminal as you type, so it may take you a few attempts if you have a complicated password.
- sudo cp /bin/bash /bin/bash.old
- sudo cp /bin/sh /bin/sh.old
You won’t see any confirmation, but it’ll work, and if something goes wrong after Step #5 below, you can get back your old un-patched version of bash by reversing the above copy commands, to copy the “.old” copies back over their original files (without the “.old” part).
Step 3: Verify the Version of Your New Build
Enter the following commands in Terminal to verify you’ve got the new version of the bash build on your computer.
build/Release/bash –version
build/Release/sh –version
The output of these commands should confirm for you that the build version of bash is 3.2.52(1)-release.
Step 4: Replace Your Old Bash with the Patched Version
Almost done. You just have to make the new version of bash your default one. Do so with the following Terminal commands.
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
And that’s it.
Post courtesy: http://mac-how-to.wonderhowto.com/