Home The Bash Bug Makes Every Mac Vulnerable; Here’s How To Patch It

The Bash Bug Makes Every Mac Vulnerable; Here’s How To Patch It

(Update, Sept. 29: News of additional bash vulnerabilities keeps pouring in, so the procedures listed here might not fully protect your system. We’ll update when we know more.)

Apple is aware of the bash “Shellshock” bug that affects OS X users, and issued a statement to say that the “vast majority” of Mac users should remain unaffected.

See also: How To Detect And Patch This Big, Bad Unix Bash Shellshock Bug

Bash, which stands for Bourne Again SHell, is a command-line interpreter that runs on Unix, Linux, and Apple computers. OS X Mavericks 10.9.5 shipped with Bash version 3.2, one of the seven versions of Bash vulnerable to the Shellshock bug.

To test if you are vulnerable, you can search for the Terminal program on your computer and input this line to be sure:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"

If your computer responds “vulnerable, stuff”—well, you can guess what that means.

As evident in the screenshot, my version of bash is vulnerable to the bug—or at least it was, before I patched it (more on that in a minute). However, if you’re not the kind of person to mess around with advanced Unix options, Apple says the vast majority of Apple users shouldn’t worry about being vulnerable.

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

How To Patch Bash 3.2 On OS X

But what if you are an advanced Unix user? Or just a little too paranoid to take Apple at its word? If you’ve got some familiarity with the command line and some time on your hands, you can patch bash on your own.

First, make sure you have Apple’s Xcode developer tool installed. You can check by typing “xcodebuild” into Terminal anywhere. If it says something like “xcodebuild: error: The directory X does not contain an Xcode project,” then you already have it. If it says “Command not found,” you need to download it

Second, you’ll want to make sure you actually are using bash version 3.2. To find out, type this into Terminal anywhere:

$ bash --version

If you get version 3.2.51, the default that comes with OS X, you’re all set to follow these instructions to manually upgrade to the patched version, 3.2.52.

The following are instructions from Wonder How To with additional information added for potential pitfalls. In order, you’ll want to type these commands into your Terminal window.

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ cd ..
$ sudo xcodebuild

Update: There are a few more steps than I previously thought; thanks to commenters for pointing that out:

Next, you need to back up the current version of bash, just in case something goes wrong:

sudo cp /bin/bash /bin/bash.old

sudo cp /bin/sh /bin/sh.old

Then, you want to verify that you’re running the latest version. Type these commands anywhere into Terminal:

build/Release/bash –version

build/Release/sh –version

Lastly, you want to copy and paste the old version and replace it with the new: 

sudo cp build/Release/bash /bin

sudo cp build/Release/sh /bin

Troubleshooting

If you downloaded XCode specifically to patch bash and this is your first time using it, you will be prompted to input your password and then to agree with its terms of service by typing “agree” into Terminal. Instead of dealing with that during the fix, you may want to just type “sudo xcodebuild” anywhere in order to get it to prompt you for that stuff in advance. 

If the commands that begin with “curl” are taking a very long time, as in more than twenty minutes (like in the screenshot above) this probably means they are about to time out. It’s not abnormal; it’s probably because a lot of people are working on implementing this patch. 

If that happens to you, go into Finder and find the “bash-fix” folder in your main directory. Delete the folder, empty the trash, and then go back into Terminal to restart the patch process again. 

Ideally, Apple will come out with a patch you can just download soon because this is a lot of work. But I feel a lot better seeing a blank response in Terminal when I check for bash vulnerabilities. 

Photo via Shutterstock

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.