Apple and Amazon have moved to calm customers’ fears following the discovery of a critical vulnerability in the Bash code used in nearly all Unix or Unix-like systems, codenamed Shellshock.
Apple said the flaw only affects a very small number of OS X systems and that it is working on a patch fix, in a statement sent to iMore.
“The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities. Bash, a Unix command shell and language included in OS X, has a weakness that could allow unauthorised users to remotely gain control of vulnerable systems.
“With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced Unix services. We are working to quickly provide a software update for our advanced Unix users.”
At the time of publishing Apple had not responded to V3‘s request for comment on iMore‘s report or if it has seen any active Shellshock exploitations in the wild.
Discovered on 25 September, Shellshock is commonly viewed as one of the biggest vulnerabilities ever discovered.
Security experts have warned that due to the widespread use of Bash, the flaw has the potential to be used in attacks on everything from the SCADA systems used to power critical infrastructure to web servers hosting private and company websites and data.
Amazon also moved to allay fears that its servers may be affected in a security advisory, promising its APIs and backends are secure.
“We have reviewed CVE-2014-6271 and CVE-2014-7169 [Shellshock] and have determined that our APIs and backends are not affected, and except as noted below, our services are not affected,” read the advisory.
The firm did warn Amazon Elastic MapReduce (EMR) and AWS Elastic Beanstalk users they may be vulnerable if running on old software, calling for them to update their systems as soon as possible.
Shellshock is one of many dangerous security flaws found in commonly used code this year. Researchers uncovered a critical bug in SSL, codenamed Heartbleed, leaving millions of web servers across the world open to attack in April.