Apple has been all over the place in regard to the BASH/Shellshock vulnerability that has dominated the tech security news over the last week. Given that OS X uses the BASH shell as its default shell, when the bug was discovered the experts noted that Macs would be vulnerable, but Apple didn’t immediately offer any comment in response to queries.
After a few days, the company issued a statement saying that Macintosh computers were unlikely to be affected by the vulnerability. According to that statement, their systems “are safe by default and are not exposed to remote exploits of Bash unless users configure advanced UNIX services.” The problem is that there’s no way of knowing how many OS X users have their Macs set up to be web servers or have enabled some sort of remote application that can hook into Bash.
Another problem is that different variations of this vulnerability keep popping up; that’s why the first patches that were issued by some of the major Linux vendors were found to be only partially effective and new patches had to be developed.
In any event, Apple has now issued its own patch for OS X Lion, Mountain Lion and Mavericks. It’s called OS X bash Update 1.0 and it can be downloaded from the Apple web site. The update is also available for OS X Lion Server. These are separate updates that are specific to the particular operating system version.
If you’re interested in the technical details, the update, according to Apple, improves the detection of the end of function statements when parsing environment variables, incorporates a change that resets the parser state, and adds a new namespace for exported functions by preventing unintended header passthrough to BASH via HTTP headers.
We should also note that those beta testers who are running OS X 10.10 (Yosemite) are out of luck at the moment when it comes to a patch. Yosemite is reportedly going to be released in October, and we would assume that the vulnerability will be fixed in the public release. However, with this OS version Apple has done something it usually doesn’t do: put out a public beta. That’s standard operating procedure for Microsoft, but it’s the first time Apple has done it in over a decade.
Those who beta test operating systems tend to be the most advanced users, and advanced users are the ones who would be most likely to enable the advanced UNIX services, play around with web services, and so forth – thus if you fall into that category, it’s important to be aware of your exposure. Luckily, most beta testers don’t use beta software for mission critical work or to process sensitive information.
The reason the BASH vulnerability has received so much attention is because it affects so many different systems, running so many different implementations of *NIX-based operating system code. That means a large number of software vendors scrambling in parallel to get their own patches out there for their own products. We’re glad Apple has joined the parade and made a patch available, even if “the vast majority of Macs are safe” without it.