Apple has issued an out-of-band security update to deal with the Shellshock vulnerability in the Bash command line interpreter, responding to the discovery of a security flaw last week.
The patch is available as a manual update from Apple's support website. It was not made available via a software update on Mac computers.
The initial Bash update only covered OS X Mavericks.
Apple's patch appears to cover the CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 vulnerabilities, according to iTnews' tests.
Google security researcher Michael "lcamtuf" Zalewski suggested a further test readers might look to perform:
foo='() { echo not patched; }' bash -c foo
If the script returns "not patched", it indicates Apple is still exposing the Bash parser in a dangerous way as per the CVE-2014-6277 vulnerability.
Apple's patch also handles the test suggested by Zalewski.
Update 12:05pm: Apple has now posted fixes for OS X Mountain Lion 10.8.5 and Lion 10.7.5.
Apple also said in a security announcement that the updates contains the suggested CVE-20147-169 change that resets the Bash parser state.
"In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers,” Apple advised.
The company did not say when OS X 10.10 Yosemite would receive an update.
