Is Apple Mistaken about the Severity of Shellshock?

Apple released an email statement that the vast majority of Mac OS users are not vulnerable to the Shellshock Bash vulnerability (CVE-2014-7169).  Hours later Hendrik Adrian tweets that there is a live exploit of this occurring against Mac users:

Screenshot 2014-09-28 09.30.12

Apple has not released any test to validate that their version of bash is secure.  They could have tested the releases by using a script developed by Red Hat to check to see if a system is vulnerable:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

It seems unlikely that they are using this test.  If they used this test, they would find that this test fails when checking it with a fully patched Apple OS X Version 10.9.5:

Screenshot 2014-09-28 09.10.33

This leaves a strange question, who is correct?  Is the Red Hat test for checking correct, or is Apple’s statement of being secure correct.  Unfortunately, the answer may not be known anytime soon.  Like previous virus issues with Macs, users tend not to run antivirus, and so are unaware of their system being infected.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: