Update: Apple has issued a statement to iMore regarding this issue, stating that most Mac users are already protected unless they have configured “advanced UNIX services.” An update is in the works to protect those users.

A vulnerability in Bash, the software used to control the command shell in many flavors of Unix, has been shown to be present in OS X – with some security researchers saying that the flaw could pose a bigger threat than the Heartbleed vulnerabilty discovered last year (which affected many Unix systems but not OS X).

The Bash vulnerability being referred to by some as ‘Shell Shock’ allows an attacker to run a wide range of malicious code remotely. It was discovered by security researchers at RedHat, and is described in detail in a blog post.

There are conflicting reports as to the extent to which Mac users are at risk … 

In a Stack Exchange thread, one user argues that while Macs are technically vulnerable, most are unlikely to be at risk in practice.

Yes you are technically vulnerable. But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.

So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.

Another, however, describes this view as ‘naive.’

… or have an application running, listening on an open port that allows RPC calls to be made that end up running shell commands. This could be any number of things as there are plenty of standard applications that do their RPC. I think this answer is very naïve. It’s very easy to be “running a web server” inadvertently in the course of running an application that does some client-server type thing.

The presence of the vulnerability can be confirmed by opening a Terminal window and pasting in the following command:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

A ‘vulnerable’ response demonstrates that the exploit works, while a Bash warning would indicate that the code failed.

Several variants of Linux already have patches available.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear