Friday 26 September 2014

Mac users - the "Shellshock" vulnerability

Mac users (like me) might be alarmed at the stories of the "Shellshock" vulnerability that apparently can affect users of various versions of Unix, including the Mac operating system OS X.

Don't panic. You should only be at risk if you're running the Apache web server built into OS X. This is the technology that allows your Mac itself to act as a web server. In the most recent versions of OS X, Mountain Lion (10.8) and Mavericks (10.9), this is switched off by default but if you're using an older version of OS X this might be switched on and you should switch it off right now.

You can test to see if it's running by clicking on this link http://localhost/ (which just tries to connect to your own computer). If the link fails (like below) then your internal web server is switched off and you should be safe.

However, if you get a message saying something like "It works!" then your web server is switched on and you're vulnerable. If this happens you should switch it off right now. To do this, first open your System Preferences.

Then click on Sharing.

I took this screen shot from an older Mac running Snow Leopard (10.6).

Just make sure that "Web Sharing" is switched off and you should be a lot safer.

Those of us who use Apple Macs can often feel immune to malware and vulnerabilities and, to extent, that's true. But let's not become complacent.

Thanks to TUAW, The Unofficial Apple Weblog and CNET for the background information.

No comments: