Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases OS X Bash Update to Fix 'Shellshock' Security Flaw in Mavericks, Mountain Lion, and Lion
- Thread starter MacRumors
- Start date
- Sort by reaction score
or you can just admit that you shouldn't have asked why in attempt to be right about something.
I don't see this in regular software update, isn't this important enough to show there? 
----------
Ok, I think this is when the rubber meets the road. This is a major security hole. Apple is big in security. It always made fun of PC because of the viruses afflicting PC machines. We are all holding our breath to hear great news about how Apple is going to tackle such a huge security hole, and then:
This is what we get:
1. Some PR announcement saying that most people are not affected, without going into details on who might be affected and how. Pathetic
2. Releasing a fix that apparently is not even available through regular update.
I have a Ubuntu machine and I think i have received no less than 3 updates to bash since the problem was announced.
I know that a big company has to be cautious about the fixes it releases, but this is bordering a ridiculous failure. I would expect a multibillion corporation to fix this quick and with full transparency.
My 2 cents.
----------
Ok, I think this is when the rubber meets the road. This is a major security hole. Apple is big in security. It always made fun of PC because of the viruses afflicting PC machines. We are all holding our breath to hear great news about how Apple is going to tackle such a huge security hole, and then:
This is what we get:
1. Some PR announcement saying that most people are not affected, without going into details on who might be affected and how. Pathetic
2. Releasing a fix that apparently is not even available through regular update.
I have a Ubuntu machine and I think i have received no less than 3 updates to bash since the problem was announced.
I know that a big company has to be cautious about the fixes it releases, but this is bordering a ridiculous failure. I would expect a multibillion corporation to fix this quick and with full transparency.
My 2 cents.
This is weird. I have installed the update via the direct download from Apple but when I go ahead to test out in terminal it still behaves as its vulnerable. But the version is newer which is version 3.2.53(1)-release when before it said 3.2.51(1) before the patch. Any help?
I'm just glad I check in with MacRumors to see what's going on or I'd have never known about this update.
Thanks, MR!
Thanks, MR!
I came across this to check for vulnerabilities: https://github.com/hannob/bashcheck . It reports that the updates from Apple, 3.2.54, and 4.3.27 are still vulnerable to CVE-2014-7186 (redir_stack bug).
Last edited:
Tim Cook stop being lazy and tell your developers this update does not show up into app store. DAMN! WTF is happening with Apple seriously iOS 8 failing and now this are drunk?
hehe... the name says it all...
Seriously...
Anyone wanna use Windows ? It's looking better choice every day.
While Apple may have it in Software Update shortly.. I always have my issues until i see it with my own eyes..
Any long standing Apple user will know when Apple means "fixes" what they *really* mean is "still busted*
Seriously...
Anyone wanna use Windows ? It's looking better choice every day.
While Apple may have it in Software Update shortly.. I always have my issues until i see it with my own eyes..
Any long standing Apple user will know when Apple means "fixes" what they *really* mean is "still busted*
Many thanks to the guy who provided the link to this update. However, what I did see in the compendium of suggested updates in App Store, was OS update 10.9.5 (no reports from MacRumors, strange). Was the BASH sec fix bundled in this update?
This test indicates that bash is "vulnerable" because bash gives a segmentation fault there. Because Apple's patch won't pass functions by default, the concern isn't that bash is truly vulnerable, but rather that the crash could potentially open up some other access, same as the crash of any other binary.
More in-depth testing on CVE-2014-7186 is here: https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00238.html
Aside from that fault, Apple's bash after this patch is not vulnerable.
It doesn't suck at all for Yosemite users; they are well aware of its beta status, and shouldn't be using it for production machines (where security IS important) anyways.
That is all <period>.
That is all <period>.
It’s just a generic statement. It simply means that you need at least 10.9.5. If you happen to run 10.9.6 (if that’s ever released) then you can install this fix too.
Yosemite when it is released. It saves Apple having to go back and update all these articles..
As of last evening (I haven't been on my Mac 10.9.5 this morning), the Bash update hadn't shown up in my Software Update either.
Perhaps it has something to do with Apple saying that most OS X users are not at risk; but being that the Bash shell is just one icon click away (opening Terminal).
I thought about doing the manual upgrade from Apple's support technote, but figured I'd just update through Software Update and let Apple tell me when I need it.
Perhaps it has something to do with Apple saying that most OS X users are not at risk; but being that the Bash shell is just one icon click away (opening Terminal).
I thought about doing the manual upgrade from Apple's support technote, but figured I'd just update through Software Update and let Apple tell me when I need it.
I don't see this in regular software update, isn't this important enough to show there?
Isn't that the point of CVE-2014-7186 though, that the segfault is an opening, even if it's a pain to exploit? I feel better that the low hanging fruit issues were patched, but still uneasy that bash can be crashed so easily. I'll keep following that mail thread to see if I should be more concerned.
I don't really care for myself, but not being in Software Update/App Store Updates means inexpert users won't know about or get it, nor will it flow down to enterprise management systems which replicate from Apple's main system (aka local Software Update server, e.g.: as found in OS X Server).
It's potentially an opening, yes, so I do hope that bash receives further maintenance from Apple. At least the direct issue is mitigated for now.
----------
It took me 2 minutes total to add it to my deployment system. Presumably professional system administrators will be on top of this.
As for why it's not in Software Update? A huge mystery to say the least.