Apple today released OS X bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion which fixes a security flaw in the bash UNIX shell.
For more information on the security content of this update, see http://support.apple.com/kb/HT1222
Related articles:
Two rather rare scenarios that can make OS X vulnerable to the Shellshock Bash bug – September 29, 2014
Apple: Vast majority of OS X users safe from ‘Shellshock’ bash exploit, patch coming quickly for advanced Unix users – September 26, 2014
The Bash ‘Shellshock’ bug and workaround – September 25, 2014
U.S. government warns of Bash flaw affecting Apple’s OS X, other Unix-based systems – September 25, 2014
What about the greatest Apple OS EVER? Snow Leopard!
Oh yeah, obsolete as Burgess Meredith in the 1961 Twilight Zone episode.
XP SUPPORT LASTED FAR LONGER THAN APPLE SUPPORT!!!
Chew on that, fanboys and girls … 😉
XP HAD to be supported for a long time because Vista was so bad Microsoft had a hard time getting enterprise to trust them again. Notice that all the big companies are just now upgrading to Windows 7 and ignoring Windows 8.
You say that as if it’s a good thing…
At-risk Snow Leopard users can go download the bash-80 sourcecode from opensource.apple.com and patch it themselves.
And trust me, if they’re at risk from Shellshock, they’ll know how to do that.
Good luck making your own security patches for Windows XP 😉
I do agree Snow Leopard was my favorite OS.
apple doesn’t cling to relics.
And the age of a RELIC is ???
Relicated!
Two generations
No updates available, not auto installed….
… your update app will not tell you to download this.
It IS available, though. http://support.apple.com/kb/HT1222 In three versions, one for each recent version of the OS. I’ve done it on one of my Macs, will soon apply it to another, then to the third. Not feeling particularly “at risk”, I see no reason to hurry.
Thanks!
I too expected the patch to come down through the NORMAL update way, but no. You have to go hunt this one down and download special. That was not smart. Should have come in through the App Store app like ALL the others. Maybe even more so because it’s a real security issue.
Snow Leopard is the only usable OSX server OS. It’s mandatory that the BASH security bug gets fixed in that release. If it isn’t, there could be lots of legal issues for Apple to deal with.
BTW – the current “fix” doesn’t fix the bug. BASH remains vulnerable to the reported problem.
If you weren’t such a newb you’d have patched it yourself already. It’s a 7 year old OS get over it already.
If there were “lots of legal issues for Apple,” then the FDC SeaTac would be overflowing with Microsoft alumnæ.
The update works perfectly with Mavericks, but strangely it doesn’t show up in the app store.
Where did you get it? Can’t find it…
http://support.apple.com/kb/DL1769
Snow Leopard is still widely used in shops where the need for the Rosetta technology is vital — I know of several media shops where some number of their production Macs are STILL running SL 10.6.8 — humming along reliably and efficiently, using Rosetta to access Adobe Creative Suite version 3, in the case of one large production shop — we are talking many machines, here, where each SL-powered machine is running its own legitimate licensed version of the old Adobe Creative Suite of tools — the multiple licences were very expensive when purchased from Adobe, back in ~2005.
As the shop sees the situation, they paid out tens of thousands of dollars in software costs to purchase legitimate licensed copies, and intend on running the old Adobe software in a real-time production environment for as long as they can — they have no reason to change, as version 3 meets all of their needs, day in, day out.
I just assisted them in purchasing/setting up several additional *used* Macs, that will run the OSX SL 10.6.x, so that they can continue utilizing their old Adobe licenses, and really wringing out the value of their sunk capital cost.
As best as I can tell, at this point, they are not vulnerable to this shell exploit, because they do not use any of their Macs for web-facing serving machines via Apache, etc. Whether Apple does, or does not, choose to upgrade the SL 10.6.x BASH does not seem to be an issue, in their case.
Niffy
If you’re a server administrator, you can patch this yourself by updating bash through the command line.
Well said. In my occupation your playbook pretty much mirrors the same experience.
Rock-solid Snow Leopard. Obsolete and R.I.P. as far as the spaceship treadmill-upgrade denizens at Apple are concerned.
But you know what? It just works and for some keeps humming right along … 🙂
F**k it MDN, how come EVERYBODY else gets out updates for their apps and you cannot update yours??? Really, iPad app is so much more user friendly than the browser route. Get it together!
I just applied the update for Mountain Lion and ran the following code in Terminal App and that reports that I am still vulnerable. env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
Something is still not right here.
I still can’t find that update! Where did it come from?
Here it is for all versions of OSX
http://support.apple.com/downloads/
> reports that I am still vulnerable. env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
This is confusing. Can someone explain it…?
Hey bill.. are you running a web server with shitty CGI scripts? No? Didn’t think so.. you are safe.
Your attitude to a legitimate concern is an embarrassment to true Apple fans. I’d go as far as to say you’re actually a Windows/Android troll trying to make Apple users look bad.
Hi Jonathan, It must be great having a brain the size of your dick.
This fix does not work.
If you test it against multiple variations of Shellshock, some of them still work.
Should you want to know more, and fix the problem yourself (with brew and some work on the Terminal), go to .
Best of luck.
Go to
shellshocker(dot)net
I’m wondering about my beta version of Yosemite.
Will it need an upgrade?
Yes. The version of bash in Yosemite is
nbsp;GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin14)
so it’s vulnerable. Watch for an update coming…
Today’s update of Yosemite (beta 4) has Bash version 3.2.53(1) which is *not* vulnerable. You can check by running
env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
in a bash shell in a terminal window.
Where is Garth to help me do this thing? UNIX is SEXY by the way. 😉
A few comments:
1) bash Update 1.0 is only the first. It patches 2 of the 6 currently (until tomorrow) security flaws in Bash. Expect at least one further update.
2) All three of the update variants are now available for download from:
http://support.apple.com/downloads/
3) The Apple Security Document for the update is now available via the link in the article summary.
4) At this time, no Mac client computers have anything to fear from the Bash bugs. That’s why the update is not being offered in Software Update/App Store. Another factor is that this is NOT going to be the last update. My best guess is that the final (if there is one) Bash update will be incorporated into a future overall security update. We’ll see.
In the meantime, if you have an OS X server exposed to the Internet: UPDATE IMMEDIATELY. Exploits are already available on the net.
I’m keeping track of the Bash CVEs (known security flaws) as they are discovered, described and patched at my Mac-Security blog:
http://mac-security.blogspot.com/2014/09/coverage-of-apples-bash-shellshock-bugs.html