Bashing bash one more time: updated universal 4.3.26 covering both bash flaws
See the previous entry, but in short, bash has been shown to have a pretty nasty little vulnerability that causes it to inadvertently execute shell commands in the environment you pass it. This attack does work on Power Macs because most shell commands are cross-platform, and appears to exist on all versions of OS X.
The solution is easy: build a new bash from the newly patched source code. As a service to you, I have done so, and compiled it for PowerPC and Intel so it will also work for users on 10.6 who are not receiving updates either. The version earlier today had a preliminary version of the patch which does not fix a second variant vulnerability. This version does. If you used one of the "build from source" tricks that were circulating earlier today (MacRumors, etc.), your version does NOT have this second issue patched. Either wait for the public source trees to update and rebuild it (likely early tomorrow), or use this one.
The bash these steps will install works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC. It requires no other dependencies. The idea is to replace your system bash -- yes, you can use Homebrew, Tigerbrew, MacPorts, etc., to get an updated copy, but your built-in bash is still vulnerable unless you replace it. This is designed to accomplish that. WARNING AGAIN: If you are not comfortable with the Terminal, get someone to help you!
In a Terminal.app window, verify that you have a vulnerable system so that you can see what that looks like (the command is all one line):
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
It should print
vulnerable
this is a test
Check the second vulnerability. This creates a file called echo with the date in it, if your system is vulnerable:
env X='() { (a)=>\' sh -c "echo date"; cat echo
It should print something like (the messages and of course the time will vary):
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Thu Sep 25 22:12:49 PDT 2014
(Delete the file it makes before you continue! rm echo)
Download the patched bash 4.3.26. Put it in your home directory. If necessary, double-click to decompress it so that you have a file in your home directory called bash-4.3.26-10.4u.
Close all terminal windows and programs just to make sure you won't stomp on bash while a program is trying to call it. Start Terminal and have exactly one window open.
In that terminal window:
exec tcsh
chmod +x bash-4.3.26-10.4u
If you replaced /bin/bash (and/or /bin/sh) with the patch earlier today, DO NOT DO THE NEXT TWO COMMANDS. If you have not already replaced them, go ahead; these will put the old ones in a safe place, just in case.
sudo mv /bin/bash /bin/bash_old (enter your password)
sudo mv /bin/sh /bin/sh_old (enter your password if needed)
Everybody does these:
sudo cp bash-4.3.26-10.4u /bin/bash (enter your password if needed)
sudo cp bash-4.3.26-10.4u /bin/sh (enter your password if needed)
Test it stuck by trying the statements again:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
It should print
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Now, try the second one:
env X='() { (a)=>\' sh -c "echo date"; cat echo
It should print
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date
cat: echo: No such file or directory
Restart your Mac as a paranoia to make sure everything is using the new copy of bash.
Bask in the glow. Then, find a shell that doesn't suck.