Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Fixes Shellshock In OS X

Posted by timothy on from the that's-mac-os-x-to-you-buddy dept.

jones_supa (887896) writes Apple has released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the "Shellshock" bug in the Bash shell. Bash, which is the default shell for many Linux-based operating systems, has been updated two times to fix the bug, and many Linux distributions have already issued updates to their users. When installed on an OS X Mavericks system, the patch upgrades the Bash shell from version 3.2.51 to version 3.2.53. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on the system first. An Apple representative told Ars Technica that OS X Yosemite, the upcoming version of OS X, will receive the patch later.

4 of 174 comments (clear)

  1. Why isn't this auto-update? by Anonymous Coward · · Score: 5, Informative

    I have 10.9.5 and checked for software updates. None. Why do I have to click the link in the slashdot article and manually download the patch?!?!?

    1. Re:Why isn't this auto-update? by kybred · · Score: 4, Informative

      I downloaded and installed this update. It updates bash to version 3.2.53(1), but a patch to version 3.2.54(1) is available on gnu.org. I'm guessing that there will be more updates since additional issues with the parsing in bash have been (are being) found.

    2. Re: Why isn't this auto-update? by Anonymous Coward · · Score: 2, Informative

      Why not?

      http://opensource.apple.com

  2. No sensible person ever though it was impossible by daveschroeder · · Score: 2, Informative

    But even here, again, when you look at a typical OS X desktop system, now many people:

    1. Have apache enabled AND exposed to the public internet (i.e., not behind a NAT router, firewall, etc)?

    2. Even have apache or any other services enabled at all?

    ...both of which would be required for this exploit. The answer? Vanishingly small to be almost zero.

    So, in the context of OS X, it's yet another theoretical exploit; "theoretical" in the sense that it effects essentially zero conventional OS X desktop users. Could there have been a worm or other attack vector which then exploited the bash vulnerability on OS X? Sure, I suppose. But there wasn't, and it's a moot point since a patch is now available within days of the disclosure.

    And people running OS X as web servers exposed to the public internet, with the demise of the standalone Mac OS X Server products as of 10.6, is almost a thing of yesteryear itself.

    Nothing has changed since that era: all OSes have always been vulnerable to attacks, both via local and remote by various means, and there have been any number of vulnerabilities that have only impacted UN*X systems, Linux and OS X included, and not Windows, over very many years. So yeah, nothing has changed, and OS X (and iOS) is still a very secure OS, by any definition or viewpoint of the definition of "secure", when viewed alongside Windows (and Android).