In this article by the Huffington Post titled ¨Apple joins rush to fix Shellshock bug affecting the internet” it seems like Apple users are in panic on how to patch their beloved and “more secure” computers from something that they hardly understand. And at the same time Apple, says, keep it cool, you are not affected as bad as you think you are.
For once, the joke (or bug) is on us Linux users. For those that don’t remember, Apple OS X in any of their versions, have a common root, BSD. BSD, has always been the quirky cousin of Linux, and all are descendents from the Unix family tree. Bash (Bourne Again Shell), is one of the many implementations of a “shell” (Family Tree Here) and BSD as all of the Unix descendents use some sort of a shell implementation.
Now, what is a shell? A shell is a command interpreter, It’s what would be used before the times of retina displays, graphical user interfaces, and mice. In Windows terms, it’s the command prompt. Is the way a user interacts with a computer with text commands typed on a black screen. I am old enough to remember a Internet driven by commands in green-over-black dumb Hayes VT-400 terminals.
“Shellshock”, the bug that bring us here, it’s a 26 year old bug in the Bash implementation of a shell. One of the things you want in a shell is the ability to define variables (text strings, numeric values, names of files, or the return value from a program or process), the bug is that when defining a variable you can also pass along a command, that can do anything, from listing the defined users for a computer, to erasing the hard drives. Basically, by calling a compromised variable defined in a shell, you can unwillingly execute commands that can gather information about the computer or compromise its information. Bad enough is that it not only can be run locally on the computer, but also remotely, from anywhere, as long as the computer is connected to the internet, and (for example) a web page calls a shell routine in the background to do something.
Most of the operational systems out there, descendents of Unix, Linux, BSD, OSX are implementing or have implemented patches for their shells to fix this vulnerability, and that is the easy part. There are millions of devices out there that build the internet itself, switches, routers, firewalls, load balancers, all components that make the internet work, all of those devices run some sort of operational system, most of them, Unix descendents, in it’s miriad of implementations. All of those networked devices that make the infrastructure that makes the internet work are vulnerable and need to be patched.
And why “Heartbleed” and “Shellshock” are a good thing? Because it levels the field, makes us aware that there are no immune operational system, all needs to be checked, verified, and corrected; because a exposed vulnerability is better than an undocumented backdoor; because open source code can be checked, verified, and fixed by anyone with the knowledge, not hidden behind the closed doors and secrecy of a corporation.
But Apple users can sleep better tonight, knowing that there is a dedicated army of system and network administrators, around the world, testing, and patching, and working when you are sleeping, to make sure that tomorrow, you can read “The Huffington Post” securely in your tablet, sipping your espresso, in your bed.