Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ Apple Updates Bash for the Shellshock Vulnerability Adam C. Engst In a quick fix for the Shellshock vulnerability, Apple has released updates to the Bash shell for the three most recent versions of OS X: [1]10.7.5 Lion (3.5 MB), [2]10.8.5 Mountain Lion (3.3 MB), and [3]10.9.5 Mavericks (3.4 MB) ' see '[4]Macs Mostly Safe from Bash Vulnerability, but Be Ready to Patch' (26 September 2014). We presume the next beta release of 10.10 Yosemite will also include the fix. The updates are not yet available via Software Update, but you can download and intall the appropriate one from Apple's Support Downloads page. No reboot is required. Installing the patch updates Bash (in Mavericks) from 3.2.51 to 3.2.53 ' you can determine your version with this command in Terminal: bash --version I'm aware of three Terminal-based tests for different aspects of the Shellshock vulnerability, as outlined in [5]this support article from hosting provider Linode. Apple's patch does indeed address the first two, which fail on an unpatched copy of OS X, but pass after the Bash update has been installed. However, the third test Linode outlines fails silently regardless of whether Apple's Bash update has been installed. From the reading I've done, that likely means that Apple's version of Bash is simply too old to have the appropriate warning code. However, [6]Eric Blake of Red Hat has posted another approach that reportedly more fully tests Bash for the vulnerability. Happily, when I use his more comprehensive test, Apple's patch passes, and an unpatched copy of OS X fails. So, with any luck, installing Apple's OS X Bash Update 1.0 is all we Mac users will need to do. Those still running 10.6 Snow Leopard or earlier will have to jump through more hoops to patch Bash, but even that may be necessary only if the Mac in question is accessible from the outside Internet and is running a Web server or has remote login turned on. A normal Mac, on a local network behind an AirPort base station or the like, should be safe from attack. References 1. http://support.apple.com/kb/DL1767 2. http://support.apple.com/kb/DL1768 3. http://support.apple.com/kb/DL1769 4. http://tidbits.com/article/15105 5. https://www.linode.com/docs/security/security-patches/patching-bash-for-the-shellshock-vulnerability 6. https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00238.html .