Michal Ždanský The security team at Red Hat, which develops the Linux distribution of the same name, discovered a critical flaw in UNIX, the system that underlies both Linux and OS X. A critical flaw in the processor bash in theory, it allows the attacker to take complete control of the compromised computer. This is not a new bug, on the contrary, it has existed in UNIX systems for twenty years.
Bash is a shell processor that executes commands entered in the command line, the basic Terminal interface in OS X and its equivalent in Linux. Commands can be entered manually by the user, but some applications can also use the processor. The attack does not have to be aimed directly at bash, but at any application that uses it. According to security experts, this bug named Shellshock is more dangerous than Heartbleed library SSL error, which affected much of the internet.
According to Apple, users using the default system settings should be safe. The company commented for the server iMore as follows:
A large portion of OS X users are not at risk from the recently discovered bash vulnerability. There is a bug in bash, the Unix command processor and language included in OS X, that could allow unauthorized users to gain access to remotely control a vulnerable system. OS X systems are secure by default and are not vulnerable to remote exploits of the bash bug unless the user has configured advanced Unix services. We are working to provide a software update for our advanced Unix users as soon as possible.
On the server StackExchange he appeared instruction, how users can test their system for vulnerabilities, and how to manually fix the bug through the terminal. You will also find an extensive discussion with the post.
The impact of Shellshock is theoretically huge. You can find Unix not only in OS X and in computers with one of the Linux distributions, but also in a considerable number on servers, network elements and other electronics.
Interesting article. Thanks for the info
Can someone write here when Apple sealed it? The error has already been fixed..
Doesn't Android have a Unix kernel by any chance?
Just like iOS.
However, this is not a problem of unix kernels, but of bash
Error right in the title. It's not Unix that suffers from the bug, it's bash. Unix doesn't have to include bash, so it's not Unix's fault.
Android is Linux with Dalvik JVM. So the kernel is Linux, including utilities like Bash.
But that problem is somewhat inflated. It basically has no impact on OS X, it is only serious for Linux servers that use Bash to run daemons like Apache, etc.
But even this is quite unusual, for example on Debian and Ubuntu, Bash is not used by default for server services, but Dash, and it is not affected.
On various routers, WiFI APs, etc, it's explicitly unlikely, because they tend to have a stripped version of Linux where Bash won't fit, using Busybox or zsh instead, etc...
So I think it's a bit of a media bubble.
Dalvik is not a JVM.
"Kernel is Linux including utilities" doesn't make sense.
Android usually doesn't include bash, or other common GNU utilities.
The most important thing(!): The problem is not if Apache or another server is started by bash, but if bash itself is running.
Don't get too involved with Zsh, it's more likely to be used interactively.
It's not a bubble.
But otherwise you are quite right.
The update is out