Security flaw in OS X ‘Bash’ command shell found, can be used for attacks on devices and services

image command

Eventually — inevitably — a new security flaw will be found. It can oftentimes be small, fixed with a quick patch, but sometimes it’s big. Or, in this particular case involving the ubiquitous “Bash” command shell, potentially very big.

According to a report published by MacRumors, security researchers from Red Hat have discovered an exploit buried within the common “Bash” command shell used in OS X and Linux. With it, someone with the know-how could initiate a wide range of attacks, not only against devices, or unsecured websites, but also against smart devices within the home, servers and more. Worse, it can all be done with minimal effort on the attacker’s part.

According to one security researcher, Robert Graham, this Bash exploit doesn’t have the potential to be as big as “Heartbleed,” an OpenSSL flaw discovered in the early part of 2014 which secures connections between clients and servers, because it already is:

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.

Heartbleed was massive, reportedly affecting upwards of 66 percent of the Internet, but Apple announced in April that it did not attack “key services” within the Apple ecosystem. 12 days after that announcement, Apple sent out updates to their Airport Base Stations, as well as their Time Capsules, to cover bases and better protect against any future attacks.

As it stands right now, Apple has not patched the Bash exploit in OS X, even after a recent update to the desktop platform. However, it is unlikely they will let this go unattended to for long.

[via MacRumors]