Apple: OS X 'Safe' From Shellshock Bug

Apple issued a statement to ease the minds of OS X users that said they are not under threat from the Shellshock bug.

The bug, named after the Linux- and UNIX-based shell commands, is a vulnerability in the Bash software shell, where hackers could take control of a system.

Experts have compared the bug to the devastating Heartbleed glitch that affected hundreds of thousands of servers and placed account information for millions of users at risk.

[Related: Linux Bash Flaw Dangers Impact Apple, Said To Exceed Heartbleed Proportions]

The United States Computer Emergency Readiness Team (US-CERT), a branch of the Department of Homeland Security, on Wednesday warned users of Unix-based operating systems, such as Linux and Mac OS X, that the vulnerability "may allow a remote attacker to execute arbitrary code on an affected system."

Apple said Friday Mac OS X users are, for the most part, not in any danger.

"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson said. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users."

Experts said the vulnerability is centered around web servers, so Mac users should not be concerned because their computer is likely not set up for that service.

"What Apple is saying is very factual," said Patrick Moorhead, president and principal analyst at Austin, Texas-based tech analyst firm Moor Insights & Strategy. "The thing about a client computer is that it has to be accessed to a network. To really compromise a Mac, you have to hack into the network to connect to the Mac. This is not going to be a problem to OS X users. It's on the companies with the web servers."

Shellshock, Moorhead said, has the potential to surpass the severity of Heartbleed, but he sees companies handling web servers getting out ahead of the issue by deploying patches to prevent that from happening.

"Potentially, it can turn your server into kind of a zombie that sends out denial of services to another web server, meaning it can use a server to bring other servers to a halt," he said. "The fear is it replicates to multiple servers around the internet and brings down a sizable amount of the internet. Fifty percent of the internet is driven by Linux and UNIX, meaning it could affect half of the internet. That is an absolute worst-case scenario."

It is likely only a subset of OS X devices are affected by this vulnerability said Douglas Grosfield, president and CEO of Ontario-based solutions provider Xylotek Solutions, who sees the onus being on the vendor to get patches and updates out as soon as they can to those it does affect.

"A vulnerability being embedded into Bash hosts brings a whole new host of threats," he said. "The software vendors are able to quickly release software patches, so we are seeing a lot of activity on their part for sure. The challenge is to stop it before it gets serious. We don’t know how long the vulnerability has been known and exploited, so you have to assume the worst."

PUBLISHED SEPT. 26, 2014