Last week Apple released a statement regarding the Shellshock Bash exploit that could possibly effect some versions of Apple’s OS X, the vast majority of users were not effected by the bug.
Users who were running advanced Unix services in OS X could have been vulnerable to the Shellshock Bash Exploit, and Apple has not released a software update to fix the bug.
The update is available for OS X users who are running OS X Mavericks, Mountain Lion and Lion, and you can find out more information about the update over at Apple at the link below.
OS X bash Update 1.0
- BashAvailable for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands
Description: An issue existed in Bash’s parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.
In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix “__BASH_FUNC<” and suffix “>()” to prevent unintended function passing via HTTP headers.
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy
Filed Under: Apple, Technology News