Since late last week the internet has been buzzing about something named Shellshock. The Bash shell is something most users will never know or hear about, it runs under the hood of OS X and other major operating systems and is critical for a lot of tasks. The flaw that was discovered last week allows an attacker to basically take over your machine if certain conditions are met and was already being exploited online shortly after it’s discovery.
Apple stated that most Mac users were safe from Shellshock as remote services like web sharing are disabled by default. OS X Server users were not mentioned but I consider them to be at far more risk as it is much easier to set up and enable a web server or other remote services. However this bug was serious enough to get Apple’s immediate attention and today they released a software patch “OS X bash Update 1.0”. Strangely this update can not be found through the normal software update process but has to be downloaded from Apple’s website.
The patch was released for the last three operating systems and can be found here:
OS X 10.7 Lion
OS X 10.8 Mountain Lion
OS X 10.9 Mavericks
No restart is required to install this security patch but you do need to have the latest version of your OS installed. If the patch refuses to install, run Software Updates first.
All Mac users running any of those OS X versions should download and install immediately.
The fact that this update is not available through the Software Update menu or App Store is a concern. This means that a lot of OS X user may never install the update. Hopefully this will be corrected.