Apple has released an update fixing the "Shellshock" vulnerability in "BASH" which allows for remotely bypassing access restrictions and eventually execute system commands. If you are using a MacOS device, please follow the instructions below.
How to Apply the Update
Initially only available as a seperate download Apple has released Security Update 2014-005 via the standard Software Update function for OS X 10.8 and 10.9. Please run Software Update to install the update.
OS X 10.7 is not supported anymore, so the Security Update 2014-005 has not been made available for 10.7. As there are other serious vulnerabilities on 10.7 that will not be fixed, users should migrate to a supported version of OS X as soon as possible.
How to Check the Update is installed
There are several ways to check that the BashUpdate is installed:
- by using Terminal.app for users that are at ease using the Terminal
- by using System Information for users that prefer the graphical user interface (only Mac OS X 10.8 and 10.9)
To check the version of bash installed type "/bin/bash --version". You should get the reply
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwinXYZ)
Copyright (C) 2007 Free Software Foundation, Inc.
with "XYZ" being "11" for Lion, "12" for MountainLion and "13" for Mavericks.
The important part here is the version number "3.2.53(1)". If you get any version number lower than 3.2.53, your system is vulnerable and you need to install the BashUpdate.
Check the Installed Bash Version using System Information
In OS X 10.8 and 10.9 the utility "System Information" can be used to check that BashUpdate is installed. Start System Information and scroll in the left pane to Software / Installations". Scroll in the upper right pane until you find the item "OS X bash Update", it should have "Apple" as Source. If you can not find that item your system is vulnerable and you need to install BashUpdate.
Frequently Asked Questions
Question: I never use the Terminal, should I install the BashUpdate?
Answer: The vulnerability does not depend on a user using the Terminal. It is sufficient to have certain services activated to render the Mac vulnerable. So you should install BashUpdate even if you never use the Terminal.
Question: I have changed my default shell to XYZ, should I install the BashUpdate?
Answer: The vulnerability does not depend on a user using bash as default shell. It is sufficient to have certain services activated to render the Mac vulnerable. So you should install BashUpdate even if your default shell is not bash.
Question: Are versions of OS X below 10.8 vulnerable?
Answer: Yes, all released OS X versions are vulnerable. But versions below 10.8 are not supported any more by Apple, so there will be now fix for these OS X versions. If you still use an OS X version below 10.8, you should migrate to a supported version of OS X as soon as possible.
Question: I just installed a software update, and it mentions http://support.apple.com/kb/ht1222. In the table on that page I see an entry "OS X bash Update". Does this mean it also installed the BashUpdate?
Answer: No, the Apple page HT1222 is a list of all security updates released recently. Each Apple update that includes some security fixes links to that page. This does not imply that the update you just installed contains the BashUpdate. Please use the methods described above to check whether the BashUpdate is installed on your Mac.
Question: Apple initially said that only a small fraction of Macs are vulnerable. Is it necessary that I install the update?
Answer: New vectors to exploit the vulnerability have been discovered in the meantime, so every Mac user should install the BashUpdate on his devices.