Apple responds to ‘shell shock,’ fix coming soon

AppleLogoXRedApple is responding to the Shell shock vulnerability that was recently found (and unofficially patched). Apple has recognized the issue and will be out with a fix very soon. The bug, which affects the commonly used Bash shell in Unix and Linux systems, affects Mac systems because OS X contains a BSD layer that includes the Bash shell. However, in a statement to iMore, Apple claims the issue is not a serious concern for Mac users unless they have enabled specific remote connectivity.

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities…Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

Apple does not specify what these services are, but if you are simply using your Mac for common tasks like Web browsing, gaming, word processing, creative design, and even development purposes, then you are likely OK. However, if you have enabled remote access and are running custom services using the command line, then your system might be more vulnerable.

Since this bug affects all versions of Bash, it is present on all versions of OS X; however, Apple does not specify what versions of OS X the upcoming update will address. When Apple does release its fix, be sure to apply it. In the mean time, you can use these instructions to apply a quick fix for the issue.

5 thoughts on “Apple responds to ‘shell shock,’ fix coming soon

  1. forkboy1965

    I’m not certain I understand why this is taking so long to come from Apple. Your site, and others, have offered clear and concise instructions on how to update BASH.

    Am I missing something as to why Apple can’t get out a patch promptly?

    1. Topher Kessler Post author

      Companies like Apple will investigate the patch, and the vulnerabilities at hand, before addressing them. These patches are quick-fixes, that will need to be tested by those who apply them. If a problem occurs, then you can roll back to the backed-up version, so these instructions will not hurt anything.

  2. Al Varnell

    First off, there is almost universal agreement that the patch doesn’t fix all the currently known vulnerabilities and with more being revealed daily right now.

    Secondly, there are OS X processes (primarily on the server side I have heard) that make use of bash, so all of these processes have to be thoroughly tested to make sure the patch didn’t break anything.

    1. Topher Kessler Post author

      These patches are an ongoing effort that will likely take several patch versions to get right; however, so far the patches have not shown any changes to default OS X services and functions. With them applied, Bash has so far run properly for many. Nevertheless, it is always a good idea to test the uses of your system after applying such patches, and if there is a problem, then you have the backed-up versions that you can restore. Overall, for any update or patch there is always the possibility for broken functionality, but this is confronted by the security risk posed, especially to server systems that will undoubtedly have the services that use Bash.

      My recommendation here to anyone, is to back up the current bash and sh executables, and then install the patches and test them out. If problems occur, then you can roll back, but if not, then check back and apply any additional patches in a similar way, again repeating your testing and be prepared to roll back to a backup if necessary.

  3. forkboy1965

    The question for me, as a basic computer user with the latest version of Mavericks installed on my iMac: should I be concerned at all?

    Apple states I shouldn’t be, but when I ran the “test” I came back as vulnerable. But I also note I don’t do any of the things I’ve seen other sites report as being the sort of activity whereby I may be vulnerable.

    I find this rather confusing. Apple says don’t worry. Others say “Here, patch it yourself.” I find the lack of consistency in message, to be frank, infuriating and irritating.

    If I’m just some slob using my iMac to check e-mail, make the rounds of interesting web sites (like this one, Topher – you’re one of the best) and basic stuff like this (not some power Mac user with terminal commands in my dreams), should I just sit tight and wait for Apple to release an update or what?



Leave a Reply to forkboy1965 Cancel reply