Apple has released an important security update for Mac users, labeled as OS X Bash Update 1.0. The update addresses a recently discovered critical security flaw known as “Shellshock” that impacts the bash shell, the default shell used by the Terminal app of OS X, and is recommended for all users to install even if they don’t use the Terminal app, bash, or command line on the Mac.
The download is very small, weighing in around 3.5MB, and the release notes simply state “This update fixes a security flaw in the bash UNIX shell.” The security patch is currently available as three separate downloads for OS X Mavericks 10.9.5, OS X Mountain Lion, and OS X Lion. A bash patch for OS X Yosemite Public Beta and Developer Preview releases are not yet available.
Users can download the appropriate DMG file for their version of OS X via the links below:
- Bash Update for Mavericks (OS X 10.9.5+ required)
- Bash update for Mountain Lion (OS X 10.8.5)
- Bash Update for Lion (OS X 10.7.5)
Note that Mac users must be on the latest versions of their respective releases to install the update. Despite being a small update, it’s good practice to do a quick backup of your Mac with Time Machine or your backup software of choice before installing any system updates.
At the moment, the OS X Bash Update is only available through the Apple Support website, but presumably will also be released through the Software Update mechanism of OS X in the near future.
Though it’s unlikely that most Mac users have been impacted by any particular security breach, or are at risk of a breach from the Shellshock bash exploit, it’s still a good idea to install critical security patches like this. Apple previously offered the following statement to MacRumors regarding the flaw and who it could impact:
“Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
The “advanced UNIX services” that Apple references are presumably Remote Login and the SSH server, which allow for remote administration, though a user would still need a valid login to gain access to a Mac, and another theoretical attack vector through weaknesses found possible through the optional OS X Apache web server, which allows Mac users to host webpages directly from their Mac. Again, it’s fairly unlikely that many Mac users have been at risk, even if they use the Remote Login or web server features of OS X.
What about a Bash patch for Mac OS X Snow Leopard?
For Mac users running OS X 10.6.8 Snow Leopard, you have a few options to patch bash:
- You can manually install the newest version of bash with gcc, homebrew, or MacPorts
- You can manually install the above Lion bash patches by either extracting the pkg file from the OS X Lion version and manually copying the new bash versions to Snow Leopard, or modify the Distributions file to allow for installation on Snow Leopard
At the moment, Apple didn’t release an official bash patch for Snow Leopard, which means 10.6 users will need to install the new version of bash themselves.