‘Shell Shock’ command line vulnerability present in OS X, could be bigger than Heartbleed

bash

Update: Apple has issued a statement to iMore regarding this issue, stating that most Mac users are already protected unless they have configured “advanced UNIX services.” An update is in the works to protect those users.

A vulnerability in Bash, the software used to control the command shell in many flavors of Unix, has been shown to be present in OS X – with some security researchers saying that the flaw could pose a bigger threat than the Heartbleed vulnerabilty discovered last year (which affected many Unix systems but not OS X).

The Bash vulnerability being referred to by some as ‘Shell Shock’ allows an attacker to run a wide range of malicious code remotely. It was discovered by security researchers at RedHat, and is described in detail in a blog post.

There are conflicting reports as to the extent to which Mac users are at risk …  Read more

Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible

update

Update: Apple issued OS X 10.9.2 the following day, which included a fix for the SSL bug.

After Apple fixed the SSL bug in iOS, it’s unclear why three days have passed without an OS X fix after it was revealed by Reuters that the vulnerability was created by an error in a single line of code.

The problem lies in the way the software recognizes the digital certificates used by banking sites, Google’s Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.

As the bug is in Apple’s SSL authentication code, it leaves a whole range of apps vulnerable, not just Safari …  Read more