OS X Bash Update 1.0 is now available to address Shellshock Security Threat

MacMedics Locations in Severna Park & Lanham

Apple commenting on Shellshock security threat via www.imore.com:
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
OS X bash Update 1.0 is now available and addresses the following:
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,
OS X Mavericks v10.9.5
10.9 Link: http://support.apple.com/kb/DL1769
10.8 Link: http://support.apple.com/kb/DL1768
10.7 Link: http://support.apple.com/kb/DL1767
Impact: In certain configurations, a remote attacker may be able to execute arbitrary
shell commands
Description: An issue existed in Bash’s parsing of environment variables. This issue was
addressed through improved environment variable parsing by better detecting the end of
the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the
parser state.
In addition, this update added a new namespace for exported functions by creating a
function decorator to prevent unintended header passthrough to Bash. The names of all
environment variables that introduce function definitions are required to have a
prefix “__BASH_FUNC<" and suffix ">()” to prevent unintended function passing via
HTTP headers.
The update from Apple can be downloaded here: http://support.apple.com/kb/DL1769
If you have modified either /etc/profile or /etc/bashrc be sure to back up those files before installing the Apple update, since the patch overwrites both.

Leave a Reply

Your email address will not be published. Required fields are marked *