{"id":32173,"date":"2014-09-30T14:11:16","date_gmt":"2014-09-30T21:11:16","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=32173"},"modified":"2014-09-30T14:29:59","modified_gmt":"2014-09-30T21:29:59","slug":"apples-os-x-bash-update-1-0-patches-shellshock-vulnerability","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/apples-os-x-bash-update-1-0-patches-shellshock-vulnerability\/","title":{"rendered":"Apple’s OS X Bash Update 1.0 Patches Shellshock Vulnerability"},"content":{"rendered":"

Apple has released OS X Bash Update 1.0, a security update for Mac OS X that patches the Shellshock vulnerability<\/a>. The Shellshock flaw affects the Bash shell used across many Unix-based systems including Mac OS X and variants of Linux.<\/p>\n

“This update fixes a security flaw\u00a0in the bash UNIX shell,” according to Apple.<\/p>\n

\"OS<\/p>\n

Apple’s OS X Bash Update 1.0 is available for: OS X Lion 10.7.5, OS X Lion Server 10.7.5, OS X Mountain Lion 10.8.5, and OS X Mavericks 10.9.5.<\/p>\n

Apple’s security announcement on Monday\u00a0described\u00a0the Bash bug fixes as follows:<\/p>\n

CVE-2014-6271<\/a>, CVE-2014-7169<\/a> : In certain configurations, a remote attacker may be able to execute arbitrary shell commands. An issue existed in Bash’s parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. This update also incorporated the suggested CVE-201407169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have prefix “__BASH_FUNC<” and suffix “>()” to prevent unintended function passing via HTTP headers.<\/p><\/blockquote>\n

Apple’s OS X Bash Update 1.0 may be obtained from the following webpages:<\/p>\n