Apple has finally released a security update for OS X that will close up the critical remote code execution Shellshock bug found in the GNU Bash UNIX shell. The update resolves both the CVE-2014-6271 issue discovered by Stephane Chazelas, as well as the CVE-2014-7169 one flagged by Tavis Ormandy.
According to Ars Technica, the patch will not be provided for current OS X Yosemite developer or public beta builds, but will be built into the next ones.
If you’re in a hurry to patch your system, you’ll have to download the update and implement it manually, as they haven’t yet been made available to implement via the usual Software Update process (this will probably change soon).
Once the update has been performed, you can make sure that it was successful by opening the Terminal app and execute the following command: bash -version.
The information returned should be GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) if you run OS X Mavericks. The number in the last string should be darwin12 or darwin11, depending on whether you run Mountain Lion or Lion.
While the company was working on the update, a spokesperson pointed out that the vast majority of OS X users are not at risk. “With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services,” it was noted.
Intego’s Derek Erwin wrote a helpful explanation of the two instances in which users’ Mac systems are vulnerable to exploitation of the flaw – “both edge cases”, he notes, that “probably require a level of technical expertise that the person configuring their account as such can patch the exploit fairly simply.”
He also noted that they have seen proof-of-concept exploits on Mac OS X, and explained what damage attackers could do on a vulnerable system.