Sept 25, 2014: A major vulnerability was discovered on Bash, affecting OS X
That vulnerability, dubbed Shellshock or Bash Bug is a 10 out of 10 in the clusterf**k scale. it is really serious.
You are urged to, at least, check if your system is affected, and secondly to patch that vulnerability as soon as you can.
Apple Update!
Apple has (finally) released a Bash updates for Lion, Mountain Lion and Mavericks.
All users are highly recommended to update to the latest Bash version 3.2.53(1) to patch the recently found Shellshock / BashBug Vulnerability.
As of Oct 1st, the update for 10.9 is not yet available through OS X Software Update. The updates are available for download and install here:
OS X Lion http://support.apple.com/kb/DL1767
OS X Mountain Lion http://support.apple.com/kb/DL1768 –
OS X Mavericks http://support.apple.com/kb/DL1769
As of Oct 1st, 7:00 AM EST, the following is depreciated, unless you are still on 10.6 (Snow Leopard) or below.
Update Sept 26:
>>> DO NOT USE "Tools" or "Apps" downloaded from the Internet that pretends to fix that bug: Phising attempts / Worms have already been reported.
Only trust genuine patches i.e Apple inc.
See also bottom of the page for extra precautions.
Update Sept 27:
The vulnerability has been downgraded for OSX, A statement from Apple sent to CNET points out that:
"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an emailed statement from Apple to CNET said.
"Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems," it continues. "With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users." (source: CNET)
Other reliable sources have also tested the bug and found that dhcp was "safe" on OS X.
Nevertheless, other reliable sources are less certain and still recommend patching.
Until an official patch has been released, I would use caution. I will let you decide.
How to check:
Open Terminal
Type (or copy/paste) the following command line (Verbatim)
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
If you system is vulnerable to Shellshock, you will see "vulnerable hello"
If your system is safe from Shellshock, you should see something as:
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
The fix:
In Terminal:
>> Note: Do not type the $ sign, it's the indication that you have to enter that line in Terminal and execute.
Note: You MUST have Xcode installed
Note: You MUST have Xcode installed
Note: READ the above again
$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ cd ..
$ xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.52(1)-release
$ build/Release/sh --version # GNU bash, version 3.2.52(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin
$ sudo -K
Then check the install and version:
$ bash --version
The answer should be:GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
Then Re-Test for the vulnerability:
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
Vulnerability seems to be Gone! :)
You're a bit safer now! Now wait for an official update
For security purpose, and after having tested that your Terminal and Bash are working properly,It is recommended that you chmod -x the old Bash versions to ensure they aren't re-used without your consent, or you could move the old bash to a backup/new location.
Type/copy
$ sudo chmod a-x /bin/bash.old /bin/sh.old
If you have Homebrew, you should also update it.
Do you have Homebrew?
Well...
In Terminal, type
$ brew --version
If "command not found" You don't have it.
If you see a version, you have have, and thou shall update it ..
What is Bash?
Bash stands for Bourne Again Shell.
It's an extremely powerful command operator that allows you to do pretty much anything.
If you are not familiar with Bash, or Unix like command lines operator, I would suggest that you review/learn the basic of it:
Learning Unix for OS X: Going Deep With the Terminal and Shell
The Linux Command Line: A Complete Introduction
Troubleshooting:
- When something is b0rken, always double check the spelling, especially with Terminal and Bash.
- With the command
$ xcodebuild
you get a "Agreeing to the Xcode/iOS license requires admin privileges, please re-run as root via sudo."
>> Enter "sudo xcodebuild" and then follow the instruction up till you see the "Agree, cancel, print" message
Extra precaution:
It's only been 24hrs, and we already see worms and hackers attempting to use Shellshock. Nobody is really sure about the implications and breadth of this issue, as such I would highly recommend to:
1- Keep an eye opened for an official Apple patch
2- Just in case, install a free antivirus/malware for Mac such as Sophos Home Edition. Repeat: Free, don't fall for the premium. An Antivirus / Antimalware does not protect against Shellshock, but could prevent you from installing a "loaded" app