Apple has released a security update for OS X to patch the hole left open by Shellshock, a big, nasty bug that was discovered last week to be compromising potentially millions of computers, servers and other devices running on Linux, Unix and Mac OS X operating systems.
The updates are available for OS X Mavericks, OS X Mountain Lion and OS X Lion users and upgrades the Bash shell version from 3.2.51 to 3.2.53. Apple has not yet released a patch for beta users of OS X Yosemite, but an Apple spokesperson tells Ars Technica that future builds of the early-release operating system will come with fixes for Shellshock.
Last week, Apple told iMore that "the vast majority of OS X users are not at risk," except for advanced users who configure Unix. Still, the iPhone maker is not taking chances and encourages users to download the security patches as soon as possible.
"Bash, a Unix command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced Unix services," Apple said in a statement sent to iMore. "We are working to quickly provide a software update for our advanced Unix users."
Shellshock is a quarter-century-old vulnerability discovered just last week in the Bash shell, a command processor that allows users to type commands in a text window to the operating system. Security experts have classified Shellshock as "worse than Heartbleed" because of the pervasiveness of Bash and the length of time it was left undetected. Bash, also known as the Bourne Again Shell, has been around since 1989.
Robert Graham, security analyst at cybersecurity firm Errata Security, says that "hundreds of thousands" of systems currently remain unpatched six months after Heartbleed was discovered because the vulnerability was found in "a bajillion software packages." Graham says the situation could be the same for Shellshock.
However, unlike Heartbleed, which made millions of private user's information such as credit card data ripe for the picking by cyberattackers, Shellshock can actually do more, including allow hackers to exploit the Bash bug take full control of computers and web servers and execute malicious code that will attack other systems in various ways. In fact, a number of exploits were spotted just hours after the bug was reported.
In the meantime, Mac users can manually download the security patch for Mavericks, Mountain Lion and Lion to keep their systems safe.