“A new vulnerability has been discovered in the bash shell which is affectionately being called ‘shellshock.’ It’s worth pointing out that this is quite serious and should be addressed,” David Acland reports for Amsys. “The bash shell is built into almost every Mac OS X system (I say almost, as some clever person may have decided to remove it from their Mac).”
“The shell has a small bit of code that it runs without question on certain older versions of bash. This code can be modified very easily so the attacker can add their own ‘bits’ into it to give them access to your Mac and do as they wish,” Acland reports. “From what I can gather it seems like this is only really a problem for computers that have some kind of external access enabled such as SSH or a web service. Some people have said “well that’s ok, I’m not running a web server”. The problem is, you probably are. A lot of applications start up a small web service to perform their functions, not to mention the cups service running on port 631 that is accessible through a web browser by going to http://localhost:631.”
Acland reports, “After a bit of digging, I decided that upgrading my bash shell was the simplest course of action so here are some instructions.”
How to upgrade in the full article here.
U.S. government warns of Bash flaw affecting Apple’s OS X, other Unix-based systems – September 25, 2014