GT Explains: What Is The Shellshock Bug and How To Patch It On Mac OS X

Khamosh Pathak

bug

Heartbleed. Shellshock. Well we’ve learned the names of these dangerous bugs that sound like Taylor Swift song titles. Heartbleed affected virtually every website out there. It was a notorious bug that had laid dormant for years and while the fix was easy, it had to be implemented by every individual developer.

Security expert Robert Graham says Shellshock is bigger than Heartbleed.

So what exactly is this Shellshock bug and how does it affect your Mac? Let’s talk about it and the solution.

What Is Shellshock?

Underneath the graphical user interface runs code – commands that run processes and provide you with the output on the screen.

In Bash, the command line interface in OS X, a string of text can be stored as a variable. Programmers turn text into variables so they don’t have to type them again and again.

For example you can say:

Z ='this is a long string of text'

And later on if you say echo $Z, the command line will insert the text where you want it. This is meant to be treated as text and not as a command. And this is where the bug is.

In the Bash command line used by Linux and OS X, if you type a certain character at the start of the variable, you can turn it into a command.

The text being:  () { :;};

This means that commands that were not sanctioned by the system or the developer, even commands that are blocked due to their malicious or disruptive nature can run if they have this prefix.

shellshock example
Example image via PC World.

Shellshock (or the Bash bug if we’re being technical) is only limited to UNIX based systems. Meaning OS X and Linux. Windows users are not affected by this bug.

For a more technical explanation check out Vox’s excellent breakdown of the Shellshock bug. Alternatively, check out the video below for the same simple explanation, in a British accent.

How Does The Shellshock Bug Affect You

Directly, it does not.

But while apps in OS X run in a sandboxed mode, they do talk to each other – to offload tasks to other apps or to ask for system level functionality. All this talk takes place using code, in the Terminal.

During one of these exchanges, one app can add the prefix in the quotes and turn it into a command. These commands can either wipe your computer, render it useless, copy the contents of your drive or any number of things possible via the command line.

How To Patch The Shellshock Bug

bash update

Fortunately, Apple has said that only a small number of OS X users are susceptible to the Shellshock bug. But it’s advisable that if you are on a Mac running OS X Lion, Mountain Lion or Mavericks, install the fix update from the links below. There’s no fix for Yosemite beta users yet.

The update for Mavericks is only 3.2 MB and comes as a DMG file. The process of installation is simple and you don’t even need to restart your Mac.

bash update

It’s a standard package installer in a DMG file. Open the installer and press Next a couple of times and the update will be installed.

bash update

That’s about it. Stay safe.

Top image via Shutterstock

Also See
#security#How-to/Guides

Join the newsletter