A few weeks ago Apple released an update which addresses the bash security vulnerability found in OS X during the last week of September 2014. The security vulnerability was nicknamed shellshock or the bash bug and reportedly affects all versions of OS X as well as many versions of Linux and Unix released over the past 25 years.
Apple’s update is only available for OS X version 10.7 (Lion), 10.8 (Mountain Lion), and 10.9 (Mavericks). OS X 10.10 (Yosemite) which was released in mid-October has the update built in. Apparently, Apple has no plans to release bash updates for versions of OS X older than 10.7, so if your Mac is running an older version of OS X you should make sure that Remote Login is not enabled in the Sharing System Preference area or you should upgrade your Mac to OS X 10.7 or higher. Section 2 of this article gives you instructions to disable Remote Login. [UPDATE: An third-party company, MacMiniVault, has written a update for OS X 10.6.8 which they believe fixes most if not all of the bash vulnerabilities. You can download this update from github. Use at your own risk.]
For reasons that aren’t entirely clear to me Apple doesn’t make this bash update available via Software Update. Instead, users need to manually download and install it. To download it go to Apple’s Software Downloads web site and get the bash update for your version of OS X (Lion, Mountain Lion or Mavericks). After downloading it you’ll typically find it in your Downloads folder. Then you’ll need to manually install it. In order to install it, you’ll need to first make sure that you’re running the most current version of Lion (OS X 10.7.5), Mountain Lion (OS X 10.8.5), or Mavericks (OS X 10.9.5). You can click on the Apple menu and select About this Mac to see which version you have installed and click the Software Update button to get an update if you need it.
If you want to be even more thorough and you’re comfortable using the Terminal application then you could check that bash has been updated by doing the following:
Open Terminal and then type: bash –version and then press the Return key (That is two hyphen characters in front of the word “version”. In this Tech Tip, you might see an em dash rather than two hyphens.)
The version of bash installed on your computer will be displayed. You want the version number to match one of these:
OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)