OS X Bash Update 1.0 Released to Address Shellshock Security Flaw
Apple has released an important security update for Mac users, labeled as OS X Bash Update 1.0. The update addresses a recently discovered critical security flaw known as “Shellshock” that impacts the bash shell, the default shell used by the Terminal app of OS X, and is recommended for all users to install even if they don’t use the Terminal app, bash, or command line on the Mac.
The download is very small, weighing in around 3.5MB, and the release notes simply state “This update fixes a security flaw in the bash UNIX shell.” The security patch is currently available as three separate downloads for OS X Mavericks 10.9.5, OS X Mountain Lion, and OS X Lion. A bash patch for OS X Yosemite Public Beta and Developer Preview releases are not yet available.
Users can download the appropriate DMG file for their version of OS X via the links below:
- Bash Update for Mavericks (OS X 10.9.5+ required)
- Bash update for Mountain Lion (OS X 10.8.5)
- Bash Update for Lion (OS X 10.7.5)
Note that Mac users must be on the latest versions of their respective releases to install the update. Despite being a small update, it’s good practice to do a quick backup of your Mac with Time Machine or your backup software of choice before installing any system updates.
At the moment, the OS X Bash Update is only available through the Apple Support website, but presumably will also be released through the Software Update mechanism of OS X in the near future.
Though it’s unlikely that most Mac users have been impacted by any particular security breach, or are at risk of a breach from the Shellshock bash exploit, it’s still a good idea to install critical security patches like this. Apple previously offered the following statement to MacRumors regarding the flaw and who it could impact:
“Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
The “advanced UNIX services” that Apple references are presumably Remote Login and the SSH server, which allow for remote administration, though a user would still need a valid login to gain access to a Mac, and another theoretical attack vector through weaknesses found possible through the optional OS X Apache web server, which allows Mac users to host webpages directly from their Mac. Again, it’s fairly unlikely that many Mac users have been at risk, even if they use the Remote Login or web server features of OS X.
What about a Bash patch for Mac OS X Snow Leopard?
For Mac users running OS X 10.6.8 Snow Leopard, you have a few options to patch bash:
- You can manually install the newest version of bash with gcc, homebrew, or MacPorts
- You can manually install the above Lion bash patches by either extracting the pkg file from the OS X Lion version and manually copying the new bash versions to Snow Leopard, or modify the Distributions file to allow for installation on Snow Leopard
At the moment, Apple didn’t release an official bash patch for Snow Leopard, which means 10.6 users will need to install the new version of bash themselves.
3 UPDATES ??? Thre are 3 differents versions ???
Yes, unless you are triple booting all three versions of OS X you only need to pick the one for the version you are running.
NO UPDATE FOR SNOW LEOPARD ???
http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-update-installer-for-snow-leopard/
Here’s for the crazy ones, the misfits, the trouble makers, the round heads in the square holes. The ones who see things differently… and are still running Snow Leopard.
George, this is really great. Can you cover what was changed in the .pkg file exactly so that others can do it themselves? Many users are not comfortable installing pkg files from the web (understandably) so a way they could self-patch the installer to work in Snow Leopard would be excellent.
[X] DONE
See “Edit 1” in the blog post. Cheers.
Don’t forget to donate :-)
Excellent thanks for this.
BTW for those wondering, you can get PackageMaker from Apple:
https://developer.apple.com/downloads/index.action?name=packagemaker
No Snow Leopard update?
This is UNSUPPORTED and UNOFFICIAL, but you can install the bash patches on any almost version of OS X.
For example, you can use the Lion bash patch with Snow Leopard. This is fairly technical, but chances are that if you’re still running Snow Leopard you’re fairly proficient so it may not be too crazy for you.
You’ll need either unpkg or use the pkgutil in OS X
http://www.timdoug.com/unpkg/
https://osxdaily.com/2011/09/26/show-package-contents-unavailable-extract-pkg-files-without-installing-them/
BACK UP YOUR MAC before doing this – if you break bash you want a backup to return to
Download the Lion version of the BashUpdateLion.pkg file and extract it on Snow Leopard
Open the “Distributions” file in a code editor like vi, nano, BBEdit,TextEdit and look for any entry with “10.7” or “10.7.5”
Use a Find & Replace to replace any existence of “10.7” with “10.6”
Use Find & Replace for “10.7.5” and replace it with “10.6.8”
Save the modified Distributions file and run BashUpdateLion.pkg in OS X Snow Leopard, it will now install
This is UNSUPPORTED and UNOFFICIAL.
You can also just extract the package and copy the files, make backups of old ones to /bin/bash etc like this
Or for PPC versions and Snow Leopard, you can follow these instructions and install bash manually: http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html
or you can modify your system version in /System/Library/CoreServices/SystemVersion.plist and force it to install
You can also use this trick to install the OS X Mavericks version on earlier versions of Mavericks from 10.9.5 (like 10.9.4 for example).
Apple issues incomplete OS X patch for Shellshock
http://www.zdnet.com/apple-issues-os-x-patch-for-shellshock-7000034170/
Testing by ZDNet showed that while the patch fixed the issues outlined in the original CVE-2014-6271 report and CVE-2014-7169, OS X remains vulnerable to CVE-2014-7186.
I tried to run the update for 10.9.5 and I get the ridiculous “Unapproved caller. SecurityAgent may only be invoked by Apple software.”
For some other installation this happened but I was able to `rm -R /var/folders/*` and get past it; not this time.
Moderator, please delete this comment as it was messed up… :-)
I think Apple should deliver this upgrade through the Mac App Store in order to reach all users…
I agree actually!
Are you sponsored by Apple? Why did you cut my comment like this? :-\
You left a comment asking to remove the comment?
So what version number should bash report after the update?
$> bash –version
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
For those interested, Apple describes the update here: http://support.apple.com/kb/HT6495
And here are some added details on the Bash patch by way of @MacMiniVault, including what has been changed:
via http://www.macminivault.com/shellshock/