In a quick fix for the Shellshock vulnerability in the Bash shell, Apple has released OS X Bash Update 1.0 for the three most recent versions of OS X: 10.7.5 Lion (3.5 MB), 10.8.5 Mountain Lion (3.3 MB), and 10.9.5 Mavericks (3.4 MB) — see “Macs Mostly Safe from Bash Vulnerability, but Be Ready to Patch” (26 September 2014). We presume the next beta release of 10.10 Yosemite will also include the fix. Oddly, the updates are not available via Software Update, but you can download and install the appropriate one from Apple’s Support
Downloads page. No reboot is required.
Installing OS X Bash Update 1.0 updates Bash (in Mavericks) from 3.2.51 to 3.2.53 — you can determine your version before and after with this command in Terminal:
If you have modified
/etc/bashrc be sure to back up those files before installing the update, since Apple overwrites both.
In the initial version of this article, I explained how to test for several of the vulnerabilities involved in Shellshock, but I subsequently wrote a more comprehensive article that shows how to test for all six of the currently known Shellshock vulnerabilities (“How to Test Bash for Shellshock Vulnerabilities,” 30 September 2014) – read that if you want to confirm that Apple’s patches are effective. The quick summary is that OS X Bash Update 1.0 appears to address the known vulnerabilities, with one ambiguous result.
Those still running 10.6 Snow Leopard or earlier must jump through an additional hoop to patch Bash, since Apple’s installers won’t work on Snow Leopard due to version number checking. Jorge Chamorro has modified the version checking script in the 10.7 Lion version of the update to allow installation in older versions of Mac OS X; try his version for older Macs. If you would prefer to work at the command line, we’ve also run across instructions for updating Bash manually in 10.4 Tiger and later.