Apple Releases OS X Bash Update to Fix 'Shellshock' Security Flaw in Mavericks, Mountain Lion, and Lion

[BryanTheCrow]

This Update is NOT the latest version of BASH

Apple's latest update doesn't fix the latest two exploits found for bash. Bash 3.2.54 has already been released to address CVE-2014-7186 and CVE-2014-7187.

The only option right now is to manually update to 3.2.54 (pretty easy once you've installed xcode, and it works on every version of OS X):

http://mac-how-to.wonderhowto.com/h...lshock-bash-exploit-heres-patch-os-x-0157606/

This is also the only option for Yosemite users.

 

[theblake]

Because the internet is inundated with thousands of bloggers repeating the same story incessantly I cant find an answer to this question.

systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services

What are some examples of advanced UNIX services?

I have about 50 Macs in remote networks (in universities) and the OS ranges from 10.4 to 10.9. So I do feel like I may be a little exposed.

 

[BryanTheCrow]

What are some examples of advanced UNIX services?

DHCP, Apache, CGI, PHP, telnet, ssh, scp, possibly many more servers, assuming they accept INCOMING connections. If you block ALL incoming connections and don't run any software that allows it, than this is relatively low risk for you. Still, patching isn't hard.

 

[farewelwilliams]

Why? For the vast majority of users this isn't a problem on Mac OS.

i didn't say the general OSX population. I said it sucks for Yosemite users.

 

[X-X]

What are some examples of advanced UNIX services?

Remote Login for example, under Sharing.

But what Apple said is not entirely true.
Because Macs are also vulnerable if you're connected to a bad network via DHCP and that is not an "advanced service".

Why? For the vast majority of users this isn't a problem on Mac OS.

Wrong. A lot of people are using DHCP.

 

[katewes]

What! No Snow Leopard update! Rage, rage against the dying of the light.

What am I meant to do now on my white iMac? Upgrade to Lion and bog it down, given it only has minimum of RAM?

 

[X-X]

What! No Snow Leopard update!

Patch it yourself.

http://mac-how-to.wonderhowto.com/h...lshock-bash-exploit-heres-patch-os-x-0157606/

 

[TsMkLg068426]

Is this safe or going to be like the iOS 8 one can only tell.

----------

hmmm went to get this update in app store and nothing....

 

[techietrash]

Requires 10.7.5, 10.8.5, 10.9.5

It's worth noting that the "official" bash patches from apple won't install on 10.7.4 or lower, 10.8.4 or lower, and 10.9.4 or lower, so you're out of luck if you're not up to date, and should patch them yourself if you don't want to update to the latest 10.x.5 release of whatever OS you're on.

This tutorial is pretty easy to follow and will allow you to patch your version of base regardless of what version of OS X you're on.
http://mac-how-to.wonderhowto.com/h...lshock-bash-exploit-heres-patch-os-x-0157606/

 

[chrfr]

Apple's latest update doesn't fix the latest two exploits found for bash. Bash 3.2.54 has already been released to address CVE-2014-7186 and CVE-2014-7187.

Apple's patch takes a different approach, similar to those used by the various Linux distributions, to solving the other vulnerabilities:

In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.

This will address -7186 and -7187.

 

[Crosscreek]

Still not showing up for me. Could just be a delayed distribution to different user regions, but maybe it's because I had already installed the MacPorts version of bash and now Software Update thinks I don't need the update? That would be unfortunate because the installed Apple version remains vulnerable on my machine. I'll wait and see what happens in the next few hours, and then remove the MacPorts version if it still doesn't show up.

----------



No. Unless you have network services, such as Apache web server, running and accessible to the wider internet. That's rarely the case with a regular Mac. As Apple stated, only "advanced" users would be affected by this problem. Have you turned on any such advanced features and opened up additional network services to the outside world?

----------

I haven't seen it mentioned yet, but is bash installed on iOS? Is iOS vulnerable, as well, given its always-on nature?

No, no server.

 

[Keirasplace]

It's a very highly published and potently exploitable bug. You don't need to be running a server for it to be exploited.

It could, for example, be exploited by malware that you download. The bash patch should be applied by everyone.

Of course, the patch should be applied by everyone eventually but give me a break. if you run god damn malware, you are already being exploited and its not because of this bug; it is because you are an idiot. So, no, it is NOT an issue for the average person and even if they forget to patch it this week, the sky will not fall on them.

I just hate drama queens...

BTW, I'Ve got 30 years in computer and software engineering. So, hey, what do I know.

 

[aaronvan]

Released it where? AOL?

 

[Michaelgtrusa]

Not showing for me.

 

[AlecZ]

The Lion and Mountain Lion support is a pleasant surprise. My mom can't go past Lion, and I'm on Mountain Lion myself. Usually, Apple doesn't care about people who don't update.

P.S. I don't see the update on my App Store.

 

[Hitch08]

Just download it from Apple directly:

http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US

Thanks for the link.

 

[randian]

P.S. I don't see the update on my App Store.

I'm not seeing it in the App Store either. Is it actually available from the App Store or only by direct download?

 

[V.K.]

Apple's patch takes a different approach, similar to those used by the various Linux distributions, to solving the other vulnerabilities:

This will address -7186 and -7187.

interesting idea. I do wonder if this can be circumvented somehow. Personally I would be in favor of also adding something to bash that by default would completely turn off the feature of letting env variables to define functions.
leave some switch to turn it on for those who really want to use it.
This seems to be a rarely used feature and saving it as is doesn't seem to be worth the trouble.

 

[chrfr]

interesting idea. I do wonder if this can be circumvented somehow. Personally I would be in favor of also adding something to bash that by default would completely turn off the feature of letting env variables to define functions.
leave some switch to turn it on for those who really want to use it.
This seems to be a rarely used feature and saving it as is doesn't seem to be worth the trouble.

That seems to be the debate that developers are having with the owner of bash.

 

[bryanzak]

Remote Login for example, under Sharing.

But what Apple said is not entirely true.
Because Macs are also vulnerable if you're connected to a bad network via DHCP and that is not an "advanced service".



Wrong. A lot of people are using DHCP.

Are you sure Apple's DHCP is exposed? My understanding is that unlike Linux for example, OS X's DHCP doesn't allow script execution.

 

[V.K.]

That seems to be the debate that developers are having with the owner of bash.

that's good to hear. I hope they succeed. given all the already discovered and probably many not yet discovered ways to exploit this vulnerability, this seems like the only really safe way to deal with it.

 

[coolfactor]

I'm not seeing it in the App Store either. Is it actually available from the App Store, only by direct download?

I'm glad that I'm not the only one seeing this. I wonder if Apple is sending these updates out through their own Content Delivery Network and has geographic diversity. Strange that, even several hours later, many of us are not seeing the updates.

----------

I just installed via the direct link, and 3.2.53 has been installed. According to online reports, another bug or two has already been fixed, and 3.2.54 is now available. I wonder how long it will take for Apple to distribute this latest version?

 

[Keirasplace]

interesting idea. I do wonder if this can be circumvented somehow. Personally I would be in favor of also adding something to bash that by default would completely turn off the feature of letting env variables to define functions.
leave some switch to turn it on for those who really want to use it.
This seems to be a rarely used feature and saving it as is doesn't seem to be worth the trouble.

This has always been a hole in any shell, or interpreter from.. Well, forever (I kind of remember some big problems in Perl and in some other shells a long time back). Sandboxing servers and making sure user account access are very restricted helps of course. I think bash is in fact a way more complex shell than necessary to run basic services in. Simple old stallwarts like sh (the bourne shell) should probably be used instead.

 

[BillyTrimble]

i didn't say the general OSX population. I said it sucks for Yosemite users.

With comments like this (and about 75% of the other juvenile comments) it's really hard to come to these forum and expect to get useful information without wading through enormous piles of cr*p presumably posted by pimply adolescents who can't get dates and spend their time thinking of ways to post useless, but completely unfunny, comments.

 

[chrfr]

Remote Login for example, under Sharing.

But what Apple said is not entirely true.
Because Macs are also vulnerable if you're connected to a bad network via DHCP and that is not an "advanced service".



Wrong. A lot of people are using DHCP.

The OS X implementation of DHCP is not vulnerable, as it doesn't use scripts.