Greg Wiseman

Apple Releases Patch for Shellshock, May Still Be Vulnerable

Blog Post created by Greg Wiseman Employee on Sep 30, 2014

Yesterday, Apple released security updates that address two of the "Shellshock" bash vulnerabilities: CVE-2014-6271 and CVE-2014-7169. At the time of writing, the updates are not available using Software Update on OS X. Instead, users should download the package directly from Apple's web site to install it. Updates are available for 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks).


Amidst the flurry of activity and interest around Shellshock over the last week, several additional bash vulnerabilities have come to light. The initial fix for CVE-2014-6271 was incomplete, leading to CVE-2014-7169 being found. Since then, several more related CVEs have been announced. Hanno Böck has released a simple tool called bashcheck that tests which vulnerabilities an installed version of bash is susceptible to. I ran this on a patched version of 10.8 (Mountain Lion) and verified the fix addresses the first two vulnerabilities, but it seems that the updated version of bash may still be vulnerable to CVE-2014-7186:




All OS X users are advised to apply this update immediately. Metasploit already has a local root exploit for OS X via VMWare Fusion due to CVE-2014-6271.


Additional information about this update from Apple is available in this post to their security-announce mailing list.


Update (October 2nd):


OS X users can breathe a little easier. The bashcheck script has been updated with some refined tests, which now indicate that although Apple's updated version of Bash does still contain two Shellshock-related bugs, they are not actually exploitable. Output from a patched Mavericks system:



Just to drive home the importance of applying this update, here is the result from an unpatched Mavericks system: