Apple patches “Shellshock” Bash bug in OS X 10.9, 10.8, and 10.7
Apple has just released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the “Shellshock” bug in the Bash shell that we first reported on last week. Bash, which is the default shell for many Unix and Linux-based operating systems, has been updated two times to fix the Shellshock remote exploit bug, and many Linux distributions have already issued updates to their users.
When installed on an OS X Mavericks system, the patch upgraded the Bash shell from version 3.2.51 to version 3.2.53, something that users could already do manually if they were so inclined. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on your system first. An Apple representative told Ars that the company would not be releasing an individual patch for users running the current OS X Yosemite developer or public beta builds, but the rep went on to say the bug will be fixed in future builds of the software. The company previously stated that Macs “are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.” Non-jailbroken iOS devices shouldn’t be vulnerable to the exploit at all.
Shellshock, in essence, allows attackers to issue commands to systems via malformed environment variables. In the case of Web servers, it can allow attackers to gain full control of the system. Exploits of the bug have already been spotted in the wild, and end users and server administrators are all encouraged to patch their systems as soon as possible.
The OS X update wasn’t yet available from Software Update on our Mavericks system when we checked, but in the meantime you can grab the Mavericks, Mountain Lion, and Lion versions of the patch manually from Apple’s software downloads site.