Apple Updates Bash for the Shellshock Vulnerability
In a quick fix for the Shellshock vulnerability in the Bash shell, Apple has released OS X Bash Update 1.0 for the three most recent versions of OS X: 10.7.5 Lion (3.5 MB), 10.8.5 Mountain Lion (3.3 MB), and 10.9.5 Mavericks (3.4 MB) — see “Macs Mostly Safe from Bash Vulnerability, but Be Ready to Patch” (26 September 2014). We presume the next beta release of 10.10 Yosemite will also include the fix. Oddly, the updates are not available via Software Update, but you can download and install the appropriate one from Apple’s Support
Downloads page. No reboot is required.
Installing OS X Bash Update 1.0 updates Bash (in Mavericks) from 3.2.51 to 3.2.53 — you can determine your version before and after with this command in Terminal:
bash --version
If you have modified /etc/profile
or /etc/bashrc
be sure to back up those files before installing the update, since Apple overwrites both.
In the initial version of this article, I explained how to test for several of the vulnerabilities involved in Shellshock, but I subsequently wrote a more comprehensive article that shows how to test for all six of the currently known Shellshock vulnerabilities (“How to Test Bash for Shellshock Vulnerabilities,” 30 September 2014) – read that if you want to confirm that Apple’s patches are effective. The quick summary is that OS X Bash Update 1.0 appears to address the known vulnerabilities, with one ambiguous result.
Those still running 10.6 Snow Leopard or earlier must jump through an additional hoop to patch Bash, since Apple’s installers won’t work on Snow Leopard due to version number checking. Jorge Chamorro has modified the version checking script in the 10.7 Lion version of the update to allow installation in older versions of Mac OS X; try his version for older Macs. If you would prefer to work at the command line, we’ve also run across instructions for updating Bash manually in 10.4 Tiger and later.
Adam, thanks for your prompt reporting on this breaking news.
Thanks to Derek Currie for keeping track of all the CVEs related to bash at
http://mac-security.blogspot.com/2014/09/coverage-of-apples-bash-shellshock-bugs.html
I've now taken Derek's idea and expanded it by listing all the CVEs that cover Shellshock and providing the necessary tests so you can check different systems.
http://tidbits.com/article/15116
Thanks for the fast news about the update. Unfortunately I'm still running 10.6 Server, so it looks like I'll be rolling my own patch. Now I know.
A day later and the patch has yet to show up in Software Update. I have no problem downloading and installing updates manually, but most members of my user group will miss this update completely if it does not automatically appear in Software Update. I'll give it a day or two more, then start notifying them.
Yeah, I'm a bit surprised by that too, but perhaps Apple needed to push something out faster than they could build a full security update.
http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-update-installer-for-snow-leopard/
Here’s for the crazy ones, the misfits, the trouble makers, the round heads in the square holes. The ones who see things differently… and are still running Snow Leopard.
Thanks for the link George. Using the actual installer was quick and easy. I wasn't looking forward to having to roll my own bash update, even with step by step instructions.
I wish they had done one for Snow Leopard. Or at least put out instructions for a manual update to a non vulnerable version of bash. I still have one aging iMac
that is vulnerable to this thing. I disabled all affected services, but I occasionally use those to do things remotely.
One should firstly backup /etc/profile and /etc/bashrc. Both files are replaced by the update. The is no warning. Very bad for people who modified both files. Apple should be more carefully. They leave Unix hackers behind.
Thanks for the warning - I've added this to the article.
In the, "Apple Updates Bash for the Shellshock Vulnerability" article, is this a "Security" Update from Apple? Do I have to use Terminal to do this update. I never use Terminal and would rather not, to find which version of Bash I have.
It's not a Security Update and it's not available via Software Update, but it's just a matter of downloading a disk image and running an installer - there's no Terminal work necessary.
I went this route for Snow Leopard:
http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html
It has the added advantage of not touching /etc/profile and /etc/bashrc ...
I downloaded Jorge Chamorro's code from http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-update-installer-for-snow-leopard/ twice, and it wouldn't open either time. Error:
The operation couldn’t be completed. (com.apple.installer.pagecontroller error -1.)
Couldn't open "BashUpdateSnowLeopard.pkg".
I looked up the error on the Internet and it told me to apply this fix first: http://support.apple.com/kb/dl1512
So I did, but it still doesn't open.
Jorge Chamorro says "I'm afraid I have no idea why you get that error, sorry."