Categories
OS X security

Apple patches Shellshock vulnerability, but it’s not in Software Update

OS X bash Update 1.0 for OS X Mavericks released to address Shellshock bug on Macs

Apple released OS X bash Update 1.0 for OS X Mavericks to fix a vulnerability in the bash UNIX shell. “Shellshock” is believed to be much worse than the Heartbleed vulnerability that was discovered earlier this year.

PC Magazine wrote about two scenarios that can make OS X vulnerable to the Shellshock bash bug:

For example, Bash would be exposed if a user turned on the remote login capability for all users, including guests. But that is an action that “is probably not the most secure thing to do anyway,” Erwin wrote, as it would open up the computer to other possible attacks.

Another scenario in which adjusted settings could make a difference is on a Lion OS X server running Apache or PHP scripting environments, Erwin wrote. If Apache is configured to run scripts, an attacker could insert variables into a script that a Bash shell would run.

Curiously, OS X bash Update 1.0 isn’t available through the usual channel (the Updates tab in the App Store). It needs to be downloaded and installed manually. Based on the potential impacts of the bug it’s recommended that all OS X 10.9/Mavericks users install OS X bash Update 1.0 right away. 

By Jason O'Grady

Founded the PowerPage in 1995.