Apple’s statement on the UNIX Bash vulnerability

Posted on Friday, September 26th, 2014 at 9:01 am. PT

Apple provided me with the following statement today:

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

Clearly, most users do not use the advanced UNIX services.

Joseph Blake
What do they mean by advanced UNIX services?
- Kaelten
  I assume they mean remote SSH access.
  - Bob G
    It sure would be nice to know for sure, but I guess Apple doesn’t think that’s important. Why does everything they say sound like a marketing/salesman-in-charge company?
    - Kaelten
      They’re one of the largest companies in the world, messaging has to be controlled or chaos would ensue.
      They also have to make sure that any statements like this have to be comprehendible to the masses.
      With this wording it’s pretty easy for non power users to know they don’t have to worry.
      - Shawn King
        “They’re one of the largest companies in the world”
        To be accurate, No, Apple isn’t. While they may be the most valuable at times, they are relatively small when it comes to headcount.
      - Kaelten
        Headcount? sure.
        I don’t know how many companies have that many customers though. Which for my statement is probably a more accurate measure of size.
      - Shawn King
        How many customers is that? Regardless, there are plenty of companies that have more customers than Apple.
      - Kaelten
        With more than 800 million iTunes accounts, I’m not sure there are many companies with more customers.
      - Shawn King
        China has 1.2 billion cell phones in use. 🙂
      - Kaelten
        The largest of which is China Mobile with 796m customers 😉
        http://www.chinamobileltd.com/en/global/home.php
      - Shawn King
        Yup. Proving my point.
      - Kaelten
        Apple had more customers than China Mobile in April when they announced the earnings call. 🙂
        http://www.forbes.com/sites/nigamarora/2014/04/24/seeds-of-apples-new-growth-in-mobile-payments-800-million-itune-accounts/
        Based on past growth of iTunes accounts they should be north of 900 million by now.
        My original point of Apple being one of the largest companies in the world is true by nearly any metric you throw at it. The fact they handle it with a ‘lowly’ count of 80k employees (https://www.apple.com/about/job-creation/) makes it all more impressive.
        Based on that employee count I think it’d still put them in the top 100-200 employee counts in the US, and I’d imagine within the top few percentile, but the rankings I can find only got to top 50, which is around 120k.
      - JohnGaltUSA
        Jesus, the trolls are everywhere!
      - kyron
        the statement is still accurate — here in the US we often use market cap as the size stick, not head count.
    - Sigivald
      Because this was a press release, not a technical bulletin?
- Nitin Khanna
  networking, servers… The stuff that runs the Internet…
Brad Choate
Web Sharing disappeared from the Sharing preference panel in 10.8 (Mountain Lion). If you’re running it and open to the public (Mac Mini colo or something), you probably know how to fix this yourself ahead of the OS X update that does it for you.
Jim McPherson
Oddly, the existence of advanced Unix services in OS X is what prompted me to accept Macs as Real Computers (and ditch Linux) way back when.. but since then I’ve scarcely done anything with them.
Rakden
Mostly web services (eg Apache), even then you need to be using bash scripts not perl. I disagree that “systems are safe” but the risk is minimal for most OS X users running default configurations. I compiled and built an updated bash package for our organization. Most of the other *nix companies have already released patches so the lack of an official patch from Apple is a little disheartening. The response I got from enterprise support was a bit lack luster, though I understand the reasoning.
“Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”
I’m just getting a lot of heat from our security office about why doesn’t apple have an official patch yet. My inclination is they are testing the living hell out of any patch after the 8.0.1 killed my 6 debacle. Still, if me, I’m totally not a programer, admin could compile and package a fix Apple should have something out soon I would hope.
- Steven Fisher
  You clipped off part of that “systems are safe”: The full statement said “systems are safe by default.”
  They’re absolutely right, but it’s also a useless statement. Though they should have mentioned which non-default setting or downloads opened this up.
  - Rakden
    I disagree with “systems are safe by default”. As long as this known vulnerability is there even with the default configuration, they are not “safe”. There is a low risk of the vulnerability being exploited but saying they are safe is incorrect. I imagine low-risk just didn’t have the same sexy marketing zing.
    - Jim McPherson
      Well no, it’s more that if a user hasn’t explicitly enabled a power user function that is off by default, then an attacker would have to find ANOTHER vulnerability somewhere before they can attempt to access this one. “Safe by default” sounds correct to me, given what we know.
      - Rakden
        Bash isn’t off just because you haven’t enabled any forward facing web services (or other remote services like ssh, but even then an attacker would need credentials to get in to exploit this specific vulnerability). Potentially an attacker could “trick” a user into downloading a package that could have an install script that exploits this vulnerability gaining them access to the client system. No other technical vulnerability is needed. Just a bit of social engineering.
        The surface area for attack for most users makes them very low risk but Apple doesn’t do anybody any favors buy just claiming these systems are safe. If they are safe, why bother patching at all!
      - Sigivald
        Potentially an attacker could “trick” a user into downloading a package that could have an install script that exploits this vulnerability gaining them access to the client system
        Yeah, but that won’t get them elevation.
        (And that’s also really close to “get them to install a trojan” in terms of an exploit vector, and if they’re going that far, well, it’s real easy to just install a real trojan.
        If they’ll do that, and an outsider is targeting them, the system’s already doomed.)
      - Jim McPherson
        If you can social engineer someone into installing your software, you don’t need the Bash exploit to do something harmful to your computer.
        Note, by the way, that “Allow Apps Downloaded from Anywhere” is off by default, so someone needs to change their settings in order to run the program they were convinced to download.
      - Steven Fisher
        An attacker could also trick a user into downloading a package that does this explicitly. If you are going to start by assuming you can make the user install anything you like, you might as well go straight to your endpoint.
        That’s why Apple refers to the default configuration. If you install something that downloads and runs bash scripts indirectly (brew? port? – not sure), that’s not default configuration. If you just install a bad bash script, it might as well directly be a bad bash script.
Jonas Ensby
This is a load of crap. Every single mac I’ve tested is vulnerable, including the macbook air of my girlfriend, who I can assure does not use “advanced UNIX services”, whatever that entails.
- Rakden
  The surface area for attack for most users makes them very low risk but Apple doesn’t do anybody any favors buy just claiming these systems are safe. Without, what apple terms advanced UNIX services, it would be difficult to remotely exploit this vulnerability but unless you have compiled and installed bash 3.2.53 yourself the vulnerability is there. Low Risk /= Safe By Default.
- Sigivald
  It said “not at risk”, meaning no surface area exposure to remote attacks, I imagine.
  That everyone’s Mac has a vulnerable bash(1), at least until the next update, doesn’t really affect “not at risk” in that context.
  We have to remember what they’re talking about, which is not “ability to leave a command prompt open at DefCon and not get exploited”, but “do you have to worry about someone being able to attack your Mac while it’s just sitting there at home or at Starbucks”…
- Steven Fisher
  Of course it’s vulnerable. The question is if it’s at risk. To be at risk, it must be vulnerable and ALSO be an attack vector. What’s the attack vector? How will someone who isn’t sitting at the computer logged attack it? How can someone actually sitting at the computer do anything with this that they couldn’t do some other way?
  Of course there are ways. If your girlfriend does web development, maybe her computer has a reasonable attack vector.
  Otherwise, what’s necessary to enable an attack vector? Enabling Apache and installing particular web server software (one that calls bash unsecured scripts)? Installing a third party package manager (one that calls bash unsecured scripts)? What?
  Putting these under “advanced UNIX services” is fair, and not crap.
Hatersgonahate
“Clearly, most users do not use the advanced UNIX services.”
Clearly, most users are not smart enough to use advance stuff and clearly are stupid enough to believe they are not vulnerable.