Vulnerable to shellshock?

Shellshock Beats Bendgate as Apple Threat

Leonid Bershidsky is a Bloomberg View columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.
Read More.
a | A

For many years, Apple Macintosh and Linux computers were considered to be safer from malicious intervention than Windows machines. That seems to have been an illusion. A piece of software powering those flavors of personal computers and Web servers has a serious vulnerability, without a quick fix. It's a wake-up call to big companies that embed kernels of other people's work in their software that they need to do more to support the open source coding movement and keep it healthy.

The vulnerability has been dubbed Shellshock because it involves something called a Unix shell, an old-style interface which allows the user to type in commands to run various functions, rather than the graphic icons and menus we've grown accustomed to. Deep down, though, even modern operating systems obey command lines. There's DOS lurking under Windows 8, and a Unix shell under Mac OS and Linux.

The vulnerable shell is called Bash, or Bourne Again Shell: it's an open-source modification of one developed by Stephen Bourne at Bell Labs back in 1977. Yes, this is really old technology. The Bash Bug has been around for more than 20 years, but Stephane Chazelas, a programmer working in Edinburgh, only discovered it last week. It lets an attacker remotely run commands through the Unix shell, bending the computer completely to an external will. The dark beauty of Shellshock is that it doesn't need a username and password to gain access: Commands can be run through external scripts and trigger a reaction from the attacked machine.

Robert Graham of Errata Security scanned the Internet for vulnerable machines and effortlessly made thousands of them execute a harmless command. Computers running the Apache HTTP server, which powers slightly more than half of the World Wide Web, proved easiest to manipulate. The servers use Bash to run the scripts controlling all kinds of dynamic Web content. Malicious code can be embedded in the scripts using the bug. The attacker can deface or crash a site, download private files, or create a network of exploited computers to run distributed denial of service attacks.

You can check your own Apple or Linux machine using this procedure. I checked my iMac and found it vulnerable, but the enthusiasts working on the problem haven't written a fix for my version of Bash yet, and neither has Apple.

Instead, Apple released a statement saying Mac OS X systems such as mine are "safe by default and not exposed to remote exploits of Bash unless users configure advanced Unix services." I can't be sure that's true, and nor can Apple. Sure, my iMac is not running a web server and there's no obvious way to make it execute Bash commands remotely. If, however, it runs any software accessible from the Internet and using Bash, it can be exploited. Determining such software will take time and effort.

This is the same company, remember, that says its iPhones don't really bend. As much as "bendgate" is a frivolous scare -- take care with your phone and it'll be fine -- Shellshock is a real problem, whose magnitude probably exceeds that of the recent Heartbleed bug.

When Apple founder Steve Jobs, ousted from his own company, ran NeXT Computer in the 1980's and '90's, one of its products was a pioneering web server enabling dynamic content. It shared DNA with the NeXTstep operating system that evolved into Mac OS X after Jobs came back to Apple. Bash was an essential element of those systems. Huge programming edifices are built on open source software such as OpenSLL, which housed Heartbleed, or Bash.

The problem with open source is that since its creation is a free collaborative effort, mistakes often go unnoticed for years. "The average programmer writes 10x more code than they read," Errata Security's Graham wrote on his blog. "The only people where that equation is reversed are professional code auditors -- and they are hired primarily to audit closed-source code."

Now, a lot of people are looking for solutions to Shellshock, both on a pro bono basis and as part of their jobs. There are more such bugs out there, however. Big companies that use open source code -- in this particular case, Apple -- shouldn't just audit it. They should donate generously to the non-profit foundations that maintain the software to fund audits by the gatekeepers. That's the kind of announcement I'd hope to see from Apple now. As for a Shellshock patch for my computer, I'm pretty sure someone will provide one before Apple does.

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.

To contact the author on this story:
Leonid Bershidsky at lbershidsky@bloomberg.net