Security News

Apple’s OS X Bash Update 1.0 Patches Shellshock Vulnerability

Posted on September 30th, 2014 by

Apple has released OS X Bash Update 1.0, a security update for Mac OS X that patches the Shellshock vulnerability. The Shellshock flaw affects the Bash shell used across many Unix-based systems including Mac OS X and variants of Linux.

"This update fixes a security flaw in the bash UNIX shell," according to Apple.

OS X Lion Mountain Lion Mavericks logos

Apple's OS X Bash Update 1.0 is available for: OS X Lion 10.7.5, OS X Lion Server 10.7.5, OS X Mountain Lion 10.8.5, and OS X Mavericks 10.9.5.

Apple's security announcement on Monday described the Bash bug fixes as follows:

CVE-2014-6271, CVE-2014-7169 : In certain configurations, a remote attacker may be able to execute arbitrary shell commands. An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. This update also incorporated the suggested CVE-201407169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.

Apple's OS X Bash Update 1.0 may be obtained from the following webpages:

How to Tell If You're Protected

After applying the security updates, here's how to check that Bash has been updated:

Open Terminal, and execute this command:

bash --version

The Bash version after applying this security update will be:

  • OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
  • OS X Mountain Lion: GNE bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
  • OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)

If you have the latest version, check to see if your Mac is vulnerable following the steps outlined last week. After you update, upon running the test it should no longer return the word "vulnerable" as an answer.

  • DigiOz Multimedia

    This patch is great for 2 out of 6 total variations found so far. But what about the other 4 ( CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)?

  • 1Biodegradable1

    What about a fix for Snow Leopard (OS X 10.6.8)?

  • Jensen_G

    Do we know why Apple made this an optional update instead of including it through its standard Software Update (through app store) mechanism?

    • dis666

      Because normal people are never vulnerable. They would have to open their system to attack intentionally, by three steps…
      – Turning on Remote Login.
      – Turning on “All Users”.
      – Enabling Guest Access.

      I cannot imagine anyone with half a brain doing that. You don’t start messing with Remote Login unless you are doing some unusual network sharing. You wouldn’t activate all users, unless you are extremely lazy and not thinking clearly.

  • dis666

    Doesn’t work. After installing, I entered the Terminal command. It is still darwin12.