14 DAY TRIAL // A security flaw discovered in the bash UNIX shell (affecting UNIX-based OSes, including OS X) is finally being patched by Apple with a small but important update targeting three major iterations of the company’s desktop operating system.
OS X Bash Update 1.0 is targeted at OS X 10.7 (Lion), OS X 10.8 (Mountain Lion), and OS X 10.9 (Mavericks). This, despite Apple saying last week that it wasn’t such a threat to Mac users.
Apple’s initial reaction to Shellshock reports
After learning about the discovery of the flaw, Apple told the press that “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities.”
The Cupertino company proceeded to explain that “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.”
Apple said at the time that it was working with software engineers around the clock to address the issue and “provide a software update for our advanced UNIX users.”
That day has arrived, as the computer company is now offering three separate patches to address the vulnerability on multiple instances of its OS X operating system.
OS X Bash Update 1.0
Don’t be alarmed by the 1.0 designation. This doesn’t mean Apple expects to churn out bash fixes on a regular basis. The numbering is just a precautionary formality (in case this bug pokes its head out again).
Bash Update 1.0, according to Apple’s Support site, “fixes a security flaw in the bash UNIX shell.” Plain and simple. For those looking to learn more about the patch, the company offers a separate document.
The exact OS versions targeted by Bash Update 1.0 are: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5. The company detailed the flaw at length in this advisory, stating that “In certain configurations, a remote attacker may be able to execute arbitrary shell commands.”
“An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement,” it added. “This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.”
Several other details are dished out in the advisory, including how the update will prevent unintended function passing via HTTP headers.