(Update, Sept. 29: News of additional bash vulnerabilities keeps pouring in, so the procedures listed here might not fully protect your system. We’ll update when we know more.)
Apple is aware of the bash “Shellshock” bug that affects OS X users, and issued a statement to say that the “vast majority” of Mac users should remain unaffected.
See also: How To Detect And Patch This Big, Bad Unix Bash Shellshock Bug
Bash, which stands for Bourne Again SHell, is a command-line interpreter that runs on Unix, Linux, and Apple computers. OS X Mavericks 10.9.5 shipped with Bash version 3.2, one of the seven versions of Bash vulnerable to the Shellshock bug.
To test if you are vulnerable, you can search for the Terminal program on your computer and input this line to be sure:
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"
If your computer responds “vulnerable, stuff”—well, you can guess what that means.
As evident in the screenshot, my version of bash is vulnerable to the bug—or at least it was, before I patched it (more on that in a minute). However, if you’re not the kind of person to mess around with advanced Unix options, Apple says the vast majority of Apple users shouldn’t worry about being vulnerable.
The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
How To Patch Bash 3.2 On OS X
But what if you are an advanced Unix user? Or just a little too paranoid to take Apple at its word? If you’ve got some familiarity with the command line and some time on your hands, you can patch bash on your own.
First, make sure you have Apple’s Xcode developer tool installed. You can check by typing “xcodebuild” into Terminal anywhere. If it says something like “xcodebuild: error: The directory X does not contain an Xcode project,” then you already have it. If it says “Command not found,” you need to download it.
Second, you’ll want to make sure you actually are using bash version 3.2. To find out, type this into Terminal anywhere:
$ bash --version
If you get version 3.2.51, the default that comes with OS X, you’re all set to follow these instructions to manually upgrade to the patched version, 3.2.52.
The following are instructions from Wonder How To with additional information added for potential pitfalls. In order, you’ll want to type these commands into your Terminal window.
$ mkdir bash-fix $ cd bash-fix $ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf - $cd bash-92/bash-3.2 $ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0 $ cd .. $ sudo xcodebuild
Update: There are a few more steps than I previously thought; thanks to commenters for pointing that out:
Next, you need to back up the current version of bash, just in case something goes wrong:
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
Then, you want to verify that you’re running the latest version. Type these commands anywhere into Terminal:
build/Release/bash –version
build/Release/sh –version
Lastly, you want to copy and paste the old version and replace it with the new:
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
Troubleshooting
If you downloaded XCode specifically to patch bash and this is your first time using it, you will be prompted to input your password and then to agree with its terms of service by typing “agree” into Terminal. Instead of dealing with that during the fix, you may want to just type “sudo xcodebuild” anywhere in order to get it to prompt you for that stuff in advance.
If the commands that begin with “curl” are taking a very long time, as in more than twenty minutes (like in the screenshot above) this probably means they are about to time out. It’s not abnormal; it’s probably because a lot of people are working on implementing this patch.
If that happens to you, go into Finder and find the “bash-fix” folder in your main directory. Delete the folder, empty the trash, and then go back into Terminal to restart the patch process again.
Ideally, Apple will come out with a patch you can just download soon because this is a lot of work. But I feel a lot better seeing a blank response in Terminal when I check for bash vulnerabilities.
Photo via Shutterstock