Apple patches OS X against Shellshock flaw

By

Patches out for Mountain Lion and Lion.

Apple has issued an out-of-band security update to deal with the Shellshock vulnerability in the Bash command line interpreter, responding to the discovery of a security flaw last week.

Apple patches OS X against Shellshock flaw

The patch is available as a manual update from Apple's support website. It was not made available via a software update on Mac computers.

The initial Bash update only covered OS X Mavericks. 

Apple's patch appears to cover the CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 vulnerabilities, according to iTnews' tests.

Google security researcher Michael "lcamtuf" Zalewski suggested a further test readers might look to perform:

foo='() { echo not patched; }' bash -c foo

If the script returns "not patched", it indicates Apple is still exposing the Bash parser in a dangerous way as per the CVE-2014-6277 vulnerability.

Apple's patch also handles the test suggested by Zalewski.

Update 12:05pm: Apple has now posted fixes for OS X Mountain Lion 10.8.5 and Lion 10.7.5

Apple also said in a security announcement that the updates contains the suggested CVE-20147-169 change that resets the Bash parser state.

"In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers,” Apple advised.

The company did not say when OS X 10.10 Yosemite would receive an update.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?