OS X Bash Update 1.0 Released to Address Shellshock Security Flaw

Sep 29, 2014 - 20 Comments

OS X Bash Update 1.0

Apple has released an important security update for Mac users, labeled as OS X Bash Update 1.0. The update addresses a recently discovered critical security flaw known as “Shellshock” that impacts the bash shell, the default shell used by the Terminal app of OS X, and is recommended for all users to install even if they don’t use the Terminal app, bash, or command line on the Mac.


The download is very small, weighing in around 3.5MB, and the release notes simply state “This update fixes a security flaw in the bash UNIX shell.” The security patch is currently available as three separate downloads for OS X Mavericks 10.9.5, OS X Mountain Lion, and OS X Lion. A bash patch for OS X Yosemite Public Beta and Developer Preview releases are not yet available.

Users can download the appropriate DMG file for their version of OS X via the links below:

Note that Mac users must be on the latest versions of their respective releases to install the update. Despite being a small update, it’s good practice to do a quick backup of your Mac with Time Machine or your backup software of choice before installing any system updates.

At the moment, the OS X Bash Update is only available through the Apple Support website, but presumably will also be released through the Software Update mechanism of OS X in the near future.

Though it’s unlikely that most Mac users have been impacted by any particular security breach, or are at risk of a breach from the Shellshock bash exploit, it’s still a good idea to install critical security patches like this. Apple previously offered the following statement to MacRumors regarding the flaw and who it could impact:

“Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

The “advanced UNIX services” that Apple references are presumably Remote Login and the SSH server, which allow for remote administration, though a user would still need a valid login to gain access to a Mac, and another theoretical attack vector through weaknesses found possible through the optional OS X Apache web server, which allows Mac users to host webpages directly from their Mac. Again, it’s fairly unlikely that many Mac users have been at risk, even if they use the Remote Login or web server features of OS X.

What about a Bash patch for Mac OS X Snow Leopard?

For Mac users running OS X 10.6.8 Snow Leopard, you have a few options to patch bash:

  • You can manually install the newest version of bash with gcc, homebrew, or MacPorts
  • You can manually install the above Lion bash patches by either extracting the pkg file from the OS X Lion version and manually copying the new bash versions to Snow Leopard, or modify the Distributions file to allow for installation on Snow Leopard

At the moment, Apple didn’t release an official bash patch for Snow Leopard, which means 10.6 users will need to install the new version of bash themselves.

.

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS, News, Security

20 Comments

» Comments RSS Feed

  1. toto says:

    3 UPDATES ??? Thre are 3 differents versions ???

    • Paul says:

      Yes, unless you are triple booting all three versions of OS X you only need to pick the one for the version you are running.

  2. toto says:

    NO UPDATE FOR SNOW LEOPARD ???

  3. Ignite Mindz says:

    No Snow Leopard update?

    • Snow Cat says:

      This is UNSUPPORTED and UNOFFICIAL, but you can install the bash patches on any almost version of OS X.

      For example, you can use the Lion bash patch with Snow Leopard. This is fairly technical, but chances are that if you’re still running Snow Leopard you’re fairly proficient so it may not be too crazy for you.

      You’ll need either unpkg or use the pkgutil in OS X

      http://www.timdoug.com/unpkg/

      https://osxdaily.com/2011/09/26/show-package-contents-unavailable-extract-pkg-files-without-installing-them/

      BACK UP YOUR MAC before doing this – if you break bash you want a backup to return to

      Download the Lion version of the BashUpdateLion.pkg file and extract it on Snow Leopard

      Open the “Distributions” file in a code editor like vi, nano, BBEdit,TextEdit and look for any entry with “10.7” or “10.7.5”

      Use a Find & Replace to replace any existence of “10.7” with “10.6”

      Use Find & Replace for “10.7.5” and replace it with “10.6.8”

      Save the modified Distributions file and run BashUpdateLion.pkg in OS X Snow Leopard, it will now install

      This is UNSUPPORTED and UNOFFICIAL.

      You can also just extract the package and copy the files, make backups of old ones to /bin/bash etc like this

      Or for PPC versions and Snow Leopard, you can follow these instructions and install bash manually: http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

      ****Download bash patched version**** http://sourceforge.net/projects/tenfourfox/files/tools/bash-4.3.28-10.4u.gz/download

      zsh

      chmod +x bash-4.3.28-10.4u

      ***** backup old bash ****

      sudo mv /bin/bash /bin/bash_old

      sudo mv /bin/sh /bin/sh_old

      **** install new bash versions ****

      sudo cp bash-4.3.28-10.4u /bin/bash

      sudo cp bash-4.3.28-10.4u /bin/sh

      ****** refresh bash shell and test for vulnerability*****

      or you can modify your system version in /System/Library/CoreServices/SystemVersion.plist and force it to install

      You can also use this trick to install the OS X Mavericks version on earlier versions of Mavericks from 10.9.5 (like 10.9.4 for example).

  4. George says:

    Apple issues incomplete OS X patch for Shellshock
    http://www.zdnet.com/apple-issues-os-x-patch-for-shellshock-7000034170/
    Testing by ZDNet showed that while the patch fixed the issues outlined in the original CVE-2014-6271 report and CVE-2014-7169, OS X remains vulnerable to CVE-2014-7186.

  5. Andrew says:

    I tried to run the update for 10.9.5 and I get the ridiculous “Unapproved caller. SecurityAgent may only be invoked by Apple software.”

    For some other installation this happened but I was able to `rm -R /var/folders/*` and get past it; not this time.

  6. Cristiano says:

    Moderator, please delete this comment as it was messed up… :-)

  7. Cristiano says:

    I think Apple should deliver this upgrade through the Mac App Store in order to reach all users…

  8. Mark says:

    So what version number should bash report after the update?

    • RobertX says:

      $> bash –version
      GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
      Copyright (C) 2007 Free Software Foundation, Inc.

  9. Paul says:

    For those interested, Apple describes the update here: http://support.apple.com/kb/HT6495

    And here are some added details on the Bash patch by way of @MacMiniVault, including what has been changed:

    UPDATE 2014-09-29 at 5:00 CDT (GMT -5:00): Apple has released a “1.0″ patch for bash. They have yet to send out their normal announcement to their Security-announce mailing list. The Apple patch updates bash to 5.3.23 (same as where we were last Friday). Apple’s patch also places a new profile and bashrc file in /private/etc as well as updated man files/documentation. Oddly there is a new file is also placed in /usr/bin/ named bashbug.

    via http://www.macminivault.com/shellshock/

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site