Skip to main content

Apple Addresses 'Shellshock' Bug as More Attacks Appear

Credit: i3alda/Shutterstock

(Image credit: i3alda/Shutterstock)

The impact of the "Shellshock" flaw continued to roll across the Internet Thursday and Friday, with Apple making its first statement on the issue and more malware that exploited the flaw appearing.

"The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities," an Apple spokesperson told Tom's Guide, in a statement repeated to multiple media outlets. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems.

"With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users."

MORE: Best Mac Antivirus Software 2014

Security experts confirmed yesterday that OS X does not use Bash in Internet-facing processes, reducing the risk that computers and servers running Apple software might be vulnerable to remote attack by unauthorized users.

OS X machines are still vulnerable to the Bash flaw, but an attacker would need to already be logged in as a user, albeit one without administrative privileges. (Apple devices running iOS are not affected; most Android devices are similarly immune, but the Cyanogenmod fork of Android is vulnerable.)

Testing for Shellshock

To test whether a machine running OS X, Linux or another UNIX-like operating system is vulnerable, open up a command-line interface (in OS X, it's called Terminal), copy the following text string:

env x='() { :;}; echo oh hi' bash -c "echo you have a problem"

Paste that into the command-line window and hit return or enter. If you receive this as a reply:

oh hi
you have a problem

... then the machine is vulnerable to the Shellshock flaw, which permits execution of undefined commands — in this case, "echo oh hi" — alongside defined commands such as "echo you have a problem."

Attacks on Web servers

The real threat posed by Shellshock is to Web servers enabled to respond to Common Gateway Interface (CGI) queries from client machines. It's a bit outdated, but CGI is used to interact with Web browsers on client machines to build elements of Web pages on the fly, such as by displaying real-time news updates or other "dynamic" content.

If a Web server were to have Bash as its default command-line tool or "shell," and the server used command-line tools to generate dynamic content and send it to Web browsers, then an attacker could generate a Bash query that included commands to the server to alter content or install malicious software.

"If ... you have a CGI written in shell script, you are in deep trouble," wrote Daniel Cid, founder and chief technology officer of Menifee, California-based security firm Sucuri. "Drop everything now and patch your servers."

"This is potentially the easiest website defacement vector we've ever seen, not to mention a very easy way of distributing malware," Australian security researcher Troy Hunt wrote in a much-read blog posting explaining the Shellshock flaw.

Evidence of the latter function became clearer late yesterday (Sept. 25), as more malicious activity appeared. Researchers at AlienVault Labs in San Mateo, California, set up a "honeypot" to attract attackers exploiting the Shellshock flaw.

"We have had several hits in the last 24 hours," wrote AlienVault Labs Director Jaime Blasco in a blog posting, adding that several were simply probing for vulnerabilities. But, he added, "we have found two attackers that are using the vulnerability to install two different pieces of malware on the victims."

The worse of the two, Blasco wrote, tried to infect the server with malware that would "herd" the server into a botnet, or group of infected machines secretly being controlled by a malicious attacker. Botnets can be used for many purposes: cracking passwords, pumping out spam, delivering malware or attacking yet more servers.

Over 24 hours, the AlienVault team witnessed 20 servers join the botnet, proof of successful attacks by the malware creators, who, judging by snippets of language in the malware code, spoke Romanian.

Meanwhile, Emanuele Gentili, head of Italian security firm Tiger Security, told the Australian tech website IT News that his company had detected an already-existing botnet scanning U.S. military websites for Shellshock vulnerabilities.

"We saw that the malware has conducted a massive scan on the United States Department of Defense Internet Protocol address range on port 23 TCP or Telnet for brute force attack purposes," Gentili told IT News.

Unrelated Amazon activity

Coincidentally, Friday also the beginning of a major server update at Amazon Web Services (AWS), which thousands of Web-based companies, including Expedia, Netflix and Pinterest, use to host their data.

The update process is expected to affect about 10 percent of AWS clients over the course of the weekend, but Amazon made clear that it had no relation to the Shellshock bug.

"This update is not in any way associated with what is being called the 'Bash Bug' in the news," Amazon said in a blog posting about the update.

In a separate security advisory, Amazon stated that its services were "not affected" by Shellshock except under very specific client circumstances.

Here's a video security firm Symantec prepared to explain how Shellshock works and can be exploited.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.