Apple working on “Shellshock” fix, says most users not at risk
Apple has responded to concerns about “Shellshock,” a pair of vulnerabilities in versions of the GNU Bourne-Again Shell (bash), issuing a statement that the company is “working to quickly provide a fix” to the vulnerability. However, a company spokesperson said that most Mac OS X users have nothing to fear.
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson said in a statement to the Apple-focused site iMore. “With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced Unix services.”
Mac OS X uses version 3.2.51.(1) of GNU bash, released in 2007; the current GNU release of the shell is bash 4.3. However, the current version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms, even dropping the open-source Windows networking service Samba from OS X server in 2011 because Samba had shifted to a GPLv3 license.
Therefore, although patches for the vulnerability have now been pushed out for most open-source operating systems, Apple will likely have to make its own internal modifications to the bash code, as all new releases of the bash shell by its maintainer, Chet Ramey, are under the GPLv3 license.