Apple releases bash patch to plug 'Shellshock' security flaw in OS X Mavericks, Mountain Lion, Lion

Posted:
in macOS edited October 2014
As promised, Apple on Monday issued OS X bash Update 1.0 for OS X Mavericks, Mountain Lion and Lion, targeting the recently discovered "Shellshock" security flaw originating in the bash UNIX shell.




Following revelations that Shellshock was in the wild, Apple last Friday said that, while most consumers would go unaffected, it was working to patch the problem. That fix was released today for OS X 10.9 Mavericks, OS X 10.8 Mountain Lion and OS X 10.7 Lion.
This update fixes a security flaw in the bash UNIX shell.
The bug, dubbed "Shellshock" by the computer security community, is theorized to be built in to every version of bash since the system's inception in 1989. A remote attack, nefarious users could potentially issue commands to an affected computer with the intent of gathering information modifying system files and more.

"With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services," an Apple spokesperson said last week, adding that the company is "working to quickly provide a software update for our advanced UNIX users."

Mac owners running Mavericks can download the 3.4MB patch through Apple Support website, as can users operating Mountain Lion and Lion. For Mountain Lion, the fix comes in at 34.3MB, while the Lion download clocks in at 3.5MB. Alternatively, the patch is available through Software Update.

Comments

  • Reply 1 of 19

    I guess since Yosemite DP9 is tomorrow they’re ignoring us for now.

  • Reply 2 of 19
    Cool. Not showing up for me yet. I had already installed the MacPorts version of bash, but it's good that Apple's version is being updated.
  • Reply 3 of 19
    I guess Mountain Lion was extra broke. :D
  • Reply 4 of 19
    For Tiger (don't ask) is it enough to do a command line shell change - to ksh?
  • Reply 5 of 19
    jpellino wrote: »
    For Tiger (don't ask) is it enough to do a command line shell change - to ksh?

    http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

    Should be all you need to fix it. I still run Tiger on my Cube as a music server, and on my 12" PB (admittedly, I don't use that one much anymore).
  • Reply 6 of 19
    jpellino wrote: »
    For Tiger (don't ask) is it enough to do a command line shell change - to ksh?
    It depends on if you believe that an installation without the extra tools is at risk. It isn't just the terminal; it is anything that can spawn a shell like Perl or even startup scripts.
  • Reply 7 of 19
    MarvinMarvin Posts: 15,309moderator
    I guess Mountain Lion was extra broke. :D

    It's only 3.3MB, just another typo.
  • Reply 8 of 19



    Thx.

  • Reply 9 of 19



    Tiger server with no 3rd party on it (had Moodle, that's gone along with the supporting MySQL and PHP that I believe needed to call bash).  

  • Reply 10 of 19
    neilmneilm Posts: 985member

    Tuesday morning, not showing up in my Software Update for Mavericks.

     

    More annoyingly, now I have to obtain a patch for our Snow Leopard server. (Yeah, Snow Leopard is old, but like other server admins I avoid updating the OS unless it's unavoidable.)

  • Reply 11 of 19
    razorpitrazorpit Posts: 1,796member
    Quote:

    Originally Posted by NeilM View Post

     

    Tuesday morning, not showing up in my Software Update for Mavericks.

     




    Wish it would show up there.  Would make it a heck of a lot easier to tell my folks how to do the update.  Any one know what it doesn't appear in the software update?  I thought we were past the days of having to download a package from a web address and running an installer.  Sure, its simple enough for most of us here to do, but what about parents/grandparents who don't know this site exists?

  • Reply 12 of 19
    MarvinMarvin Posts: 15,309moderator
    razorpit wrote: »
    what about parents/grandparents who don't know this site exists?

    If they're not running a public server, they don't have anything to worry about.
  • Reply 13 of 19

    And Snow Leopard??

  • Reply 14 of 19
    razorpitrazorpit Posts: 1,796member
    Quote:

    Originally Posted by Marvin View Post





    If they're not running a public server, they don't have anything to worry about.



    I know there were some concerns originally about how DHCP is handled and if that could be exploited.  The word today is that normal clients need not worry, but still why not just added it to the updates?  My parents heard about the exploit on the news.  They know "the issue" is out there, Apple has the patch, why not make it simple to get and install?  For them the problem would be "fixed".

  • Reply 15 of 19
    MarvinMarvin Posts: 15,309moderator
    razorpit wrote: »
    Marvin wrote: »
    If they're not running a public server, they don't have anything to worry about.

    I know there were some concerns originally about how DHCP is handled and if that could be exploited.  The word today is that normal clients need not worry, but still why not just added it to the updates?  My parents heard about the exploit on the news.  They know "the issue" is out there, Apple has the patch, why not make it simple to get and install?  For them the problem would be "fixed".

    Oh yeah, I forgot about the DHCP exploit. It should be trivial for Apple to add the installer to the Mac App Store.
  • Reply 16 of 19
    For more information about Shellshock, along with a website and standalone server tester you can visit https://shellshocker.net/

    There are instructions on how to patch your system there too.

    Want to help contribute to the project? Click on the GitHub link in the header and send in a pull request.

    Thanks!
  • Reply 17 of 19

    For more information about Shellshock, along with a website and standalone server tester you can visit https://shellshocker.net/

    There are instructions on how to patch your system there too.

    Want to help contribute to the project? Click on the GitHub link in the header and send in a pull request.

    Thanks!

  • Reply 18 of 19
    haggarhaggar Posts: 1,568member
    Quote:
    Originally Posted by razorpit View Post

     

    Any one know what it doesn't appear in the software update?  I thought we were past the days of having to download a package from a web address and running an installer.  Sure, its simple enough for most of us here to do, but what about parents/grandparents who don't know this site exists?


     

     

    It has nothing to do with a person's age.  It applies to all people who simply don't read computer news sites at all, let alone Apple rumor sites.  We should certainly be beyond the days of having to search various websites to find an OS update.

  • Reply 19 of 19
    razorpitrazorpit Posts: 1,796member
    Yes, I simplified by only mentioning one group of users, but you're right. There are more users who don't follow sites such as these or other news sources. Ironically Apple recommends all users install the patch... ????
Sign In or Register to comment.