[NewsPoster]

Although nearly all Mac users are unaffected by the issue Apple has made good on its word to quickly fix a serious security flaw in bash, a Unix shell that comes as part of OS X. Apple acknowledged the problem on Friday, and today released OS X bash update 1.0 for OS X Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). The flaw, known as "Shellshock," could potentially allow users who have set up advanced Unix services that interact with the web to be vulnerable to remote intrusion.

The flaw appears to be far more widespread in conventional Unix and Linux installs, as those are usually helmed by advanced users that are more likely to employ web-facing services. The issue may have been present, but largely undiscovered, for the past two decades. Security firm Intego noted that while the vulnerability could potentially allow an attacker "complete control over a computer," it would actually be difficult for attackers to do anything in most circumstances. A user would have had to have turned on remote login capability for all users, including guests, for any attempt to be successful, and there are a perishing few OS X users who would need to do such a thing.

A somewhat more common, but still extremely rare, possibility is the chance of intrusion if users are on the server version of OS X, running Apache or PHP scripting environments. If the environment is Internet-facing, allows guests and is configured to run scripts, then an attacker could "insert variables into a script that a bash shell would run," according to PCWorld. Otherwise, the attacker would have to know the root password of the machine.

Though very serious, the steps involved in making the exploit available to attackers may help explain why the flaw hasn't been widely utilized. Patches went out over the weekend for many Unix and Linux distributions. The Mac versions of the patch are available through Software Update or the Apple Support website. There has been no word from Apple as of yet for a fix for the Yosemite version of bash, which is currently in public-beta and developer testing but is not yet officially released.

[BradMacPro]

I manually updated my bash for Snow Leopard.

[Charles Martin]

Good to know there are options for those running Snow as well. If you would like, drop an email with the procedure to [email protected] and I'll add that to the story. Cheers.

[ljmac]

BradMacPro: pardon my ignorance, but how did you do this?

[Richard Meyeroff]

Apple should have ALL security update available for all systems for at least 8 years. I realize that this is a financial burden on Apple but many lower income and older users, especially those that received hand me down computers, DON'T have the money to upgrade to newer OS's because of the cost of upgrading third party Applications.
It is good for Apple to allow updating the OS's at no cost but that is not the only expenses when updating.

[burger]

8 years? That's funny!

[DiabloConQueso]

You can manually update bash a number of ways, including re-compiling it with the included patches from source, or getting an alternate version through MacPorts or some similar software channel.

Here's a forum thread on recompiling bash for Mac OS X (Mavericks):

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an

[Grendelmon]

Originally Posted by NewsPoster 

Although nearly all Mac users are unaffected by the issue...

Look, I'm not going to press this anymore, but this is just simply NOT TRUE. This Bash bug affects 100% of ALL MacOS X users.

You don't have to install or configure any "advanced UNIX services." All you have to do is push a button in the Sharing control panel for Remote Login (as well as Web Sharing for 10.6 and below users). Jesus Christ, the PR spin on this damage control just makes me shake my head at the blatant BS.

I'm glad that Apple has issued the latest patch for Bash, as they should have. If you are going to piggyback your OS on top of BSD, it's YOUR responsibility to ensure its security for your users. Period.

[panjandrum]

@burger: Why is that funny? Is it funny that many people and/or institutions (I'm talking Education and Non-Profits here) don't have money to upgrade? Is it funny to expect companies to actually support the equipment they sell? The problem here, is that an 8-year old Mac is perfectly functional many times. Especially in education, these systems simply can't be replaced because there isn't money to do so. When Apple (or any other tech company) stops supporting the equipment just because they feel like it (don't take my word for it, go find out how easy it is to install ML and even Mavericks on "unsupported" equipment, and how well it runs... There is often no technical reason for equipment to be abandoned. So the only remaining logical reason is because said company wants to make more money by forcing users to upgrade to new equipment). What *is* funny is the number of people who come to forums like this and suggest that companies shouldn't be responsible for providing reasonable support for the products they sell. I tell you what though, I have a solution for you, and for everyone else who has ever posted, on any forum, anywhere, the people are silly for expecting Apple and other companies to actually support their equipment properly until it really is obsolete: Go out and buy all the new equipment for the people, schools, or non-profits. Right now I have clients in need of at least 100 new systems because Apple refuses to support them properly. Post here and I'll give you the address to have the new system sent to. What? Don't think it's so funny now?

[DiabloConQueso]

There are a number of free, up-to-date, and very capable operating systems that will run atop an eight-year-old Mac.

No one is forcing anyone to continue to run unpatched, eight-year-old versions of OS X on their eight-year-old Macintosh computers.

Not to mention that you can patch bash yourself with a simple download of MacPorts, or following a step-by-step instruction guide to recompiling bash.

There are plenty of very quick, very simple, and very adequate workarounds to fully protect eight-year-old systems from this particular bash bug -- throwing your hands up and saying, "The ONLY solution I will accept is for Apple to patch their nearly decade-old operating system -- nothing else in the world will appease me, no matter how quick or easy it is!" is simply bull-headed and stubborn.

Jiminy Cricket, turn web sharing and remote login off on those systems and be done with it.

[panjandrum]

@Diablo. I was not responding in any way to your (very useful, thank you) post. I hope I made it clear that I was responding specifically to Burger's post. It's an attitude I find completely unacceptable, and which ignores the financial realities. And while it's nice that free operating systems will run on older hardware, they often aren't really a viable alternative (will they run iWork? Support easy management via. Apple Remote Desktop? etc. etc.). It's not about this specific patch, but about the attitude so many people have that "it's ok if a company fails to support their product." It says something very sad about consumers that so many people are will to accept that these companies, who are often raking in massive profits, aren't bothering to include support for hardware that "hackers" are able to add support for. It's an absolute absurdity.

[DiabloConQueso]

It's not an absolute absurdity. At some point, every manufacturer stops supporting either their historic operating systems, their historic hardware, or both.

The real crux of the matter is your opinion on whether 8-year-old operating systems and hardware are too young to stop supporting or not, and your opinion that since they're still usable machines that that somehow insinuates that they should remain manufacturer-supported.

Apple does have a more aggressive update schedule as well as a propensity to relegate software and hardware to "unsupported" status quicker than other software/hardware companies. It's no secret, though, and I find that life is much less frustrating when you take this into account. If you want to build a computer network comprised of nearly decade-old software and hardware, perhaps Apple stuff isn't what you want.

How likely do you think it is that this specific bash bug is at risk of being exploited maliciously on the specific software and hardware you're referring to, in your specific situation?

[burger]

I work in environments where the reality is 8 year old hardware/software is not just considered outdated, but a risk. Yes, you may have a computer that runs fine after 8 years, but if you want to run the current software and be up to date with patching for security and compatibility with other businesses, you can't rely on 8 year old technology to be a suitable option for mission critical work.

If, in your situation, you find it unaffordable to keep systems relatively current, at least to within a recent OS that is up to date with security releases, then I can understand that you are frustrated with the lack of free support. However, that is hardly grounds to suggest the manufacturer be on the hook for eternal support.

Additionally, your use of the term "obsolete" isn't hard defined. Are you suggesting that if it still turns on, it's not obsolete? Your 8 year expectation may be 15 years for someone else.

More to the point. Using your 8 year number, we're going back to Core Duo systems shipping with 10.4 that maxed out at 10.6.8. That's 4-5 years of OS support, and probably another 2 years of 10.6.8 security updates provided. That specific example is also key due to the 32bit to 64bit transition in focus for the 10.7 release.

I loved 10.6.8. I still think it's a better Server OS than the current offerings. At the same time, I understand that technology moves quickly and any company in the business that is spending resources trying to keep an 6 year old OS current would be getting a few strange looks in the tech world.