Skip to main content

Shellshock: Apple patch missed a third vulnerability

Shellshock still has the chance to wreak havoc over Apple OS X after a security researcher warned a third vulnerability exists that the company has so far failed to patch up.

Read more: Apple patches OS X against Shellshock bug: Now it’s your turn

Greg Wiseman, a security researcher at Rapid7, told CNET he uncovered the third vulnerability after running a script to test for Bash vulnerabilities and worked out that it still existed in OS X Mountain Lion even after the patch was installed.

CVE-2014-7186, the moniker by which the vulnerability goes, can reportedly allow denial of service [DoS] attacks to be launched that are able to stop Mac computers from connecting to the Internet or other local networks.

The exploit affects any computer around the world that is running Unix and Linux, including Apple OS X, and allows malicious code to run inside a bash shell that means even the most basic of programmers can potentially steal personal data, sensitive information or control a computer.

Apple’s hastily released patch addresses the two Shellshock vulnerabilities known as CVE-2014-7169 and CVE-2014-6271 and it has already reassured regular OS X users not to worry as only advanced Unix users are really affected.

The exploit was outed last week and many security researchers came out to dub it “worse than Heartbleed” and the fact it’s still out there, unpatched, is a worry.

Apple will now be expected to release another patch to fix the latest vulnerability to prevent further damage being done to advanced users of OS X.

There’s a full guide on how to protect any machine from the Bash bug that can provide advice and help to any user worried by the bug.