Apple releases OS X bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion

Apple today released OS X bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion which fixes a security flaw in the bash UNIX shell.

For more information on the security content of this update, see http://support.apple.com/kb/HT1222

Related articles:
Two rather rare scenarios that can make OS X vulnerable to the Shellshock Bash bug – September 29, 2014
Apple: Vast majority of OS X users safe from ‘Shellshock’ bash exploit, patch coming quickly for advanced Unix users – September 26, 2014
The Bash ‘Shellshock’ bug and workaround – September 25, 2014
U.S. government warns of Bash flaw affecting Apple’s OS X, other Unix-based systems – September 25, 2014

37 Comments

  1. What about the greatest Apple OS EVER? Snow Leopard!

    Oh yeah, obsolete as Burgess Meredith in the 1961 Twilight Zone episode.

    XP SUPPORT LASTED FAR LONGER THAN APPLE SUPPORT!!!

    Chew on that, fanboys and girls … 😉

    1. XP HAD to be supported for a long time because Vista was so bad Microsoft had a hard time getting enterprise to trust them again. Notice that all the big companies are just now upgrading to Windows 7 and ignoring Windows 8.

    2. At-risk Snow Leopard users can go download the bash-80 sourcecode from opensource.apple.com and patch it themselves.

      And trust me, if they’re at risk from Shellshock, they’ll know how to do that.

      Good luck making your own security patches for Windows XP 😉

    1. … your update app will not tell you to download this.
      It IS available, though. http://support.apple.com/kb/HT1222 In three versions, one for each recent version of the OS. I’ve done it on one of my Macs, will soon apply it to another, then to the third. Not feeling particularly “at risk”, I see no reason to hurry.

    2. I too expected the patch to come down through the NORMAL update way, but no. You have to go hunt this one down and download special. That was not smart. Should have come in through the App Store app like ALL the others. Maybe even more so because it’s a real security issue.

  2. Snow Leopard is the only usable OSX server OS. It’s mandatory that the BASH security bug gets fixed in that release. If it isn’t, there could be lots of legal issues for Apple to deal with.

    BTW – the current “fix” doesn’t fix the bug. BASH remains vulnerable to the reported problem.

  3. Snow Leopard is still widely used in shops where the need for the Rosetta technology is vital — I know of several media shops where some number of their production Macs are STILL running SL 10.6.8 — humming along reliably and efficiently, using Rosetta to access Adobe Creative Suite version 3, in the case of one large production shop — we are talking many machines, here, where each SL-powered machine is running its own legitimate licensed version of the old Adobe Creative Suite of tools — the multiple licences were very expensive when purchased from Adobe, back in ~2005.

    As the shop sees the situation, they paid out tens of thousands of dollars in software costs to purchase legitimate licensed copies, and intend on running the old Adobe software in a real-time production environment for as long as they can — they have no reason to change, as version 3 meets all of their needs, day in, day out.

    I just assisted them in purchasing/setting up several additional *used* Macs, that will run the OSX SL 10.6.x, so that they can continue utilizing their old Adobe licenses, and really wringing out the value of their sunk capital cost.

    As best as I can tell, at this point, they are not vulnerable to this shell exploit, because they do not use any of their Macs for web-facing serving machines via Apache, etc. Whether Apple does, or does not, choose to upgrade the SL 10.6.x BASH does not seem to be an issue, in their case.

    Niffy

    1. Well said. In my occupation your playbook pretty much mirrors the same experience.

      Rock-solid Snow Leopard. Obsolete and R.I.P. as far as the spaceship treadmill-upgrade denizens at Apple are concerned.

      But you know what? It just works and for some keeps humming right along … 🙂

  4. F**k it MDN, how come EVERYBODY else gets out updates for their apps and you cannot update yours??? Really, iPad app is so much more user friendly than the browser route. Get it together!

  5. I just applied the update for Mountain Lion and ran the following code in Terminal App and that reports that I am still vulnerable. env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’

    Something is still not right here.

      1. Your attitude to a legitimate concern is an embarrassment to true Apple fans. I’d go as far as to say you’re actually a Windows/Android troll trying to make Apple users look bad.

  6. This fix does not work.
    If you test it against multiple variations of Shellshock, some of them still work.
    Should you want to know more, and fix the problem yourself (with brew and some work on the Terminal), go to .
    Best of luck.

      1. Today’s update of Yosemite (beta 4) has Bash version 3.2.53(1) which is *not* vulnerable. You can check by running
           env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
        in a bash shell in a terminal window.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.