Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Apple Updates Bash for the Shellshock Vulnerability

In a quick fix for the Shellshock vulnerability in the Bash shell, Apple has released OS X Bash Update 1.0 for the three most recent versions of OS X: 10.7.5 Lion (3.5 MB), 10.8.5 Mountain Lion (3.3 MB), and 10.9.5 Mavericks (3.4 MB) — see “Macs Mostly Safe from Bash Vulnerability, but Be Ready to Patch” (26 September 2014). We presume the next beta release of 10.10 Yosemite will also include the fix. Oddly, the updates are not available via Software Update, but you can download and install the appropriate one from Apple’s Support Downloads page. No reboot is required.

Installing OS X Bash Update 1.0 updates Bash (in Mavericks) from 3.2.51 to 3.2.53 — you can determine your version before and after with this command in Terminal:

bash --version

If you have modified /etc/profile or /etc/bashrc be sure to back up those files before installing the update, since Apple overwrites both.

In the initial version of this article, I explained how to test for several of the vulnerabilities involved in Shellshock, but I subsequently wrote a more comprehensive article that shows how to test for all six of the currently known Shellshock vulnerabilities (“How to Test Bash for Shellshock Vulnerabilities,” 30 September 2014) – read that if you want to confirm that Apple’s patches are effective. The quick summary is that OS X Bash Update 1.0 appears to address the known vulnerabilities, with one ambiguous result.

Those still running 10.6 Snow Leopard or earlier must jump through an additional hoop to patch Bash, since Apple’s installers won’t work on Snow Leopard due to version number checking. Jorge Chamorro has modified the version checking script in the 10.7 Lion version of the update to allow installation in older versions of Mac OS X; try his version for older Macs. If you would prefer to work at the command line, we’ve also run across instructions for updating Bash manually in 10.4 Tiger and later.

 

READERS LIKE YOU! Support TidBITS by becoming a member today!
Check out the perks at <http://tidbits.com/member_benefits.html>
Special thanks to Luis Donato, James Hudson, Michael Witbeck, and
Timothy Landis for their generous support!
 

Comments about Apple Updates Bash for the Shellshock Vulnerability
(Comments are closed.)

Harmon Abrahamson  2014-09-29 22:05
Adam, thanks for your prompt reporting on this breaking news.
Adam Engst  An apple icon for a TidBITS Staffer 2014-09-30 09:54
Thanks to Derek Currie for keeping track of all the CVEs related to bash at

http://mac-security.blogspot.com/2014/09/coverage-of-apples-bash-shellshock-bugs.html
Adam Engst  An apple icon for a TidBITS Staffer 2014-09-30 16:17
I've now taken Derek's idea and expanded it by listing all the CVEs that cover Shellshock and providing the necessary tests so you can check different systems.

http://tidbits.com/article/15116
Gary Williams  2014-09-30 15:26
Thanks for the fast news about the update. Unfortunately I'm still running 10.6 Server, so it looks like I'll be rolling my own patch. Now I know.
chrischram@gmail.com  2014-09-30 15:44
A day later and the patch has yet to show up in Software Update. I have no problem downloading and installing updates manually, but most members of my user group will miss this update completely if it does not automatically appear in Software Update. I'll give it a day or two more, then start notifying them.
Adam Engst  An apple icon for a TidBITS Staffer 2014-09-30 16:16
Yeah, I'm a bit surprised by that too, but perhaps Apple needed to push something out faster than they could build a full security update.
George Of The Jungle  2014-10-02 14:28
http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-update-installer-for-snow-leopard/

Here’s for the crazy ones, the misfits, the trouble makers, the round heads in the square holes. The ones who see things differently… and are still running Snow Leopard.
Gary Williams  2014-10-06 02:09
Thanks for the link George. Using the actual installer was quick and easy. I wasn't looking forward to having to roll my own bash update, even with step by step instructions.
Floyd Tolar  2014-10-02 19:49
I wish they had done one for Snow Leopard. Or at least put out instructions for a manual update to a non vulnerable version of bash. I still have one aging iMac
that is vulnerable to this thing. I disabled all affected services, but I occasionally use those to do things remotely.
Andreas Frick  2014-10-06 12:41
One should firstly backup /etc/profile and /etc/bashrc. Both files are replaced by the update. The is no warning. Very bad for people who modified both files. Apple should be more carefully. They leave Unix hackers behind.
Adam Engst  An apple icon for a TidBITS Staffer 2014-10-06 12:41
Thanks for the warning - I've added this to the article.
John Fazzino  2014-10-07 13:23
In the, "Apple Updates Bash for the Shellshock Vulnerability" article, is this a "Security" Update from Apple? Do I have to use Terminal to do this update. I never use Terminal and would rather not, to find which version of Bash I have.
Adam Engst  An apple icon for a TidBITS Staffer 2014-10-07 14:02
It's not a Security Update and it's not available via Software Update, but it's just a matter of downloading a disk image and running an installer - there's no Terminal work necessary.
guy411  2014-10-07 13:44
I went this route for Snow Leopard:

http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

It has the added advantage of not touching /etc/profile and /etc/bashrc ...
Eleanor Batchelder  2014-10-13 17:08
I downloaded Jorge Chamorro's code from http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-update-installer-for-snow-leopard/ twice, and it wouldn't open either time. Error:
The operation couldn’t be completed. (com.apple.installer.pagecontroller error -1.)
Couldn't open "BashUpdateSnowLeopard.pkg".

I looked up the error on the Internet and it told me to apply this fix first: http://support.apple.com/kb/dl1512
So I did, but it still doesn't open.

Jorge Chamorro says "I'm afraid I have no idea why you get that error, sorry."