WHAT HAPPENED?

Apple released OS X bash Update 1.0 to address the recently discovered Bash vulnerabilities (also known as Shellshock), CVE-2014-6271 or CVE-2014-7169.

Since the announcement of CVE-2014-6271 and CVE-2014-7169 vulnerabilities, two additional vulnerabilities were discovered. At this time no patches have been released to address them yet.

Advanced Users:

1. For a complete description of the security enhancements and affected software refer to Apple Security Updates at http://support.apple.com/kb/ht1222 where Apple will post the full report.
2. For detailed description of the two additional vulnerabilities refer to:

• Vulnerability Summary for CVE-2014-7186 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
• Vulnerability Summary for CVE-2014-7187 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187

AFFECTED SYSTEMS:

• Mac OSX Lion
• Mac OSX Mountain Lion
• Mac OSX Maverick

WHAT'S THE PROBLEM?

Bourne Again Shell, or Bash, is a command-line shell processor widely present in Unix and Linux systems, including Mac OSX. According to Apple most users are not affected by this bug unless they modified the default Unix settings or they have enabled on the 'Sharing' services (System Preferences -> Sharing -> Remote Login). If this vulnerability was exploited this could allow for an attacker to take control of your computer.

This is a uniquely fluid situation and as a reminder for out of band security updates, the prerequisites should be reviewed closely as these are not updates from the “Software Update” app. IT Field Services is testing pushing of these updates to centrally managed customers as soon as they are able.


HOW DO I PROTECT MY COMPUTER?

Update your software

1. If you are supported by ITFS or have different IT support, no action on your part is required.
2. If you do not have IT support or they do not support your computer, OS X bash Update 1.0 may be obtained from the following webpages:

• OS X Lion - http://support.apple.com/kb/DL1767
• OS X Mountain Lion - http://support.apple.com/kb/DL1768
• OS X Maveriks - http://support.apple.com/kb/DL1769

To check that bash has been updated:

a. Open Terminal
b. Execute this command:
    bash --version
c. The version after applying this update will be:

• OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
• OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
• OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

RELATED LINKS

• Apple Security Update at http://support.apple.com/kb/HT1222
• Vulnerability Summary for CVE-2014-6271 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
• Vulnerability Summary for CVE-2014-7169 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
• Vulnerability Summary for CVE-2014-7186 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
• Vulnerability Summary for CVE-2014-7187 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
• ITS Security & Policy at http://it.ucsf.edu/security