Apple patches OS X against Shellshock flaw

Apple has issued an out-of-band security update to deal with the Shellshock vulnerability in the Bash command line interpreter, responding to the discovery of a security flaw last week.

The patch is available as a manual update from Apple's support website. It was not made available via a software update on Mac computers.

The initial Bash update only covered OS X Mavericks. 

Apple's patch appears to cover the CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 vulnerabilities, according to iTnews' tests.

Google security researcher Michael "lcamtuf" Zalewski suggested a further test readers might look to perform:

foo='() { echo not patched; }' bash -c foo

If the script returns "not patched", it indicates Apple is still exposing the Bash parser in a dangerous way as per the CVE-2014-6277 vulnerability.

Apple's patch also handles the test suggested by Zalewski.

Update 12:05pm: Apple has now posted fixes for OS X Mountain Lion 10.8.5 and Lion 10.7.5. 

Apple also said in a security announcement that the updates contains the suggested CVE-20147-169 change that resets the Bash parser state.

"In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers,” Apple advised.

The company did not say when OS X 10.10 Yosemite would receive an update.