Apple's Shellshock patch for Macintosh computers may be incomplete, say experts

Apple just released a patch for the Shellshock bug that could give hackers access to Macintosh computers, but a security expert believes Apple fixed only two out of three security holes.

Apple issued a fix for the Shellshock bug, also known as Bash, that could allow hackers to gain access to Macintosh computers. But security experts said on Tuesday that Apple's patch is incomplete, and leaves one vulnerability wide open.
Shellshock affects most computers around the world running Unix and Linux, including Apple's OS X operating system software for the Mac. A quarter-century old, the Shellshock flaw allows potentially harmful code to run inside a bash shell, which is a common, simple interface for issuing commands to the computer. Potentially, the Shellshock bug could be used to access sensitive information or gain control of the computer.

Tod Beardsley, an engineering manager for security firm Rapid7, told CNET last week
that Shellshock is extremely dangerous because it's easy to exploit, and can gives hackers the ability to take over your Mac. Some researchers have said it's at least as dangerous as Heartbleed, a
similar widespread vulnerability discovered earlier this year.

If you have a Macintosh, you want to be sure to install these security updates to ensure the safety of your Mac.

Rapid7 security researcher Greg Wiseman's work showing that OS X Mountain Lion is open to a third Shellshock vulnerability.
Screenshot by Seth Rosenblatt/CNET

Apple fixed two vulnerabilities yesterday, but a third Shellshock vulnerability in OS X was discovered by another Rapid7 security researcher, Greg Wiseman. He says he ran a script
to test for Bash/Shellshock vulnerabilities and found that even after installing Apple's patch on OS X Mountain Lion (released in 2012) the operating system was still susceptible to another vulnerability. That vulnerability, CVE-2014-7186, is a bug that could allow for Denial of Service attacks, which would prevent a Mac from connecting to local networks or the Internet.

Apple didn't respond to a request for comment.

Apple issued its patch on Monday afternoon, five days after first word of the
bug began to spread on September 24. Apple's patch addressed two Shellshock vulnerabilities, known as CVE-2014-7169 and CVE-2014-6271.

Apple's fix has yet to be added to its Software Update service for Macs, which pushes updates to the computers automatically. For now, Mac users need go to Apple's site and download the patches for OS X Lion (10.7), OS X Mountain Lion (10.8) and OS X Mavericks (10.9). If you want to know which version of OS X your Mac is running, go to the Apple Menu in the upper left corner and click "About this Mac."

Apple said last week that only Mac owners who use advanced Unix settings are
affected. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems," said Apple. "With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services."

 - CNET