Apple OS X bash Update
Apple OS X bash Update
1.0

2.1

Apple OS X bash Update free download for Mac

Apple OS X bash Update

1.0
30 September 2014

Fix for security flaw in bash OS X 10.9.

Overview

The OS X bash Update fixes a security flaw in the bash UNIX shell on OS X 10.9.5 (also on OS X 10.8 and 10.7 [see Related Links below]).

8 Apple OS X bash Update Reviews

Rate this app:

Babalooz
30 September 2014

Most helpful

I wonder why Apple isn't pushing this through Software Update. Is there coming more than this?
Like (2)
Version 1.0
zo219
02 October 2014
Why has this not appeared as a Security Update? Just because Apple has more money than god, ... just because newbies have lowered expectations ... just because Apple Store Geniuses are anything but (which was not how it was originally set up) .... All of which amounts to: just because Steve is dead. I really think it does. Ok, add in Jony. Maybe he could design a cool interface for this?
Like
Version 1.0
1 answer(s)
Quantumpanda
Quantumpanda
14 October 2014
This same question was recently discussed on the TidBITS-Talk mailing list. At least one person's opinion was that so few Mac users are vulnerable to the Shellshock exploit as originally described that it would just confuse most users.

I don't buy that, myself. It wouldn't confuse users any more than any other Security Update. As for vulnerability, Adam Engst (editor of TidBITS) pointed out that just because the currently known exploit doesn't affect most users doesn't mean that nobody will find a way to use the same bug to make an exploit that can affect far more users.

The question was also brought up of just how many users have ever actually used the Terminal. In my view, that's irrelevant, because a sizeable number of third-party apps make use of the shell in one way or another, and unless you're watching Activity Monitor continually, you're not likely to ever know just how many shell sessions are running in the background. Given that, there's no value in not pushing this out to everyone. Why Apple has not chosen to do so is indeed a mystery.
Like
Psychos
01 October 2014
Still does not address all CVEs, even though fixes were available when Apple released version 1.0 of this. "Bash update 1.0" is still vulnerable to CVE-2014-7186 and 7187. Download the official source and patches from gnu.org if you want a safe version of bash. Those are up to date, unlike Apple's late release.
Like
Version 1.0
2 answer(s)
Psychos
Psychos
01 October 2014
Hmm, despite CNET, ZDNet, and others claiming it's still vulnerable, this patch may be okay. It does show as bash 3.2.53, but appears to have the unofficial fixes applied that match the behavior of bash 3.2.54, which Apple's security notice backs up. "bashcheck" does not show vulnerable to 7186 for me.

I'm still going back to the latest gnu version myself, though. (3.2.54 right now.)
Like (2)
sambear1965
sambear1965
01 October 2014
Result of update using
https://github.com/hannob/bashcheck
$ ./bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
Variable function parser inactive, likely safe from unknown parser bugs

FYI
Like (1)
Babalooz
30 September 2014
I wonder why Apple isn't pushing this through Software Update. Is there coming more than this?
Like (2)
Version 1.0
Macinman
30 September 2014
I thought it was interesting to see a bash update for os x. My media server, which runs ubuntu studio, just had a couple of bash updates this past week as well. While I have applied all available patches, Since SSH or Telnet aren't open to the public here, I'm not sure how at risk my systems are. I usually just use the shell over the local LAN which is just the two computers in home.
Like
Version 1.0
6 answer(s)
Holmemoss
Holmemoss
30 September 2014
I have 10.6.8 and cannot find any information for a bash fix.

I take it from napabar's post, all of us still using Snow Leopard are also vulnerable.

Any patch or is it wait for Apple?
Like (1)
lurkingremlin
lurkingremlin
30 September 2014
this works with Snowy too:

http://tenfourfox.blogspot.dk/2014/09/bashing-bash-one-more-time-updated.html
Like (1)
lurkingremlin
lurkingremlin
30 September 2014
Oops, here's an updated version covering another hole in bash:

http://tenfourfox.blogspot.dk/2014/09/and-bash-goes-on-4327.html

http://sourceforge.net/projects/tenfourfox/files/tools/bash-4.3.27-10.4u.gz/download
Like (2)
Holmemoss
Holmemoss
01 October 2014
Thank you, lurkingremlin.
Like
lurkingremlin
lurkingremlin
01 October 2014
Another two flaws found - and already patched by those great folks at TenFourFox. Same link as above. Bash updated to version 4.3.28 now.
Like
lurkingremlin
lurkingremlin
01 October 2014
Sorry, posted to fast - Download link has been updated, blogspot link is the same (you can download the patch there, as before).
Like
Surfspirit
30 September 2014
As if the older systems were imune, it's a security Update Apple, a patch for a VERY SERIOUS glitch, give some respect for all your users, all off them and give a patch for all the affected Systems!! So much hype for the most secure system in the World, not Mac OS X for sure, Apple is not doing a very good job!
Like (1)
Version 1.0
6 answer(s)
Kobalt
Kobalt
30 September 2014
Lion : http://support.apple.com/kb/DL1767
Mountain Lion : http://support.apple.com/kb/DL1768

And then there's this : http://tenfourfox.blogspot.com.au/2014/09/bashing-bash-one-more-time-updated.html?showComment=1412021577609
Like (3)
Surfspirit
Surfspirit
30 September 2014
So it seems Apple didin't have the resources or money to solve it, it was needed the kind of open source people. Maybe now Apple just rip it off and make an installer of it...! This is not the company I used to know!
Like (1)
Jess-MacUpdate
Jess-MacUpdate
30 September 2014
OMG! My thanks to you, Surfspirit, for pointing out the lack of downloads for earlier versions of the OS, and to you, Kobalt, for having provided them when we failed to do so. I don't know why they were missed, but I've added them to the Related Links section so they'll be more visible. We really dropped the ball on this one. My apologies to all of you on earlier versions of the OS. (I, myself, have an older Mac Pro which is still running OS X 10.7, so I understand how you feel for having been left out.)
Like (1)
napabar
napabar
30 September 2014
What are you rambling about? Apple has been using open source projects since switching to Mac OS X. Ever heard of WebKit? ZeroConfig IP? You have no idea what you're talking about. And 10.6 and older are UNSUPPORTED operating systems. Next time, THINK before you post.
Like (4)
RavenNevermore
RavenNevermore
30 September 2014
This is NOT a "VERY SERIOUS glitch" and most people will not be affected by it.

Apple did not write BASH, so all Unix systems that run BASH will need to be patched.

@napabar, you are right. Apple actually started the WebKit project as a fork of KHTML and KJS. Now it's used by several browsers.
Like (1)
-rick-v-
-rick-v-
30 September 2014
Surfspirit: " This is not the company I used to know!"

Oh yeah? What Apple did you know? Because the Apple *I* knew never used resources supporting older operating systems. The most is usually not more than providing updates to iTunes or occasionally Safari. And usually for only the most recent past operating system. Nor have they ever pledge support of "buy this and we'll support it for X years!"
Like (2)
Aergern
30 September 2014
Great. So 10.8.x users are out of luck. So glad I've used zsh for over a decade. Thanks Apple.
Like (1)
Version 1.0
2 answer(s)
Abbott
Abbott
30 September 2014
Do just a little research and you'll find that Apple issues patches for 10.8 (http://support.apple.com/kb/DL1768) and 10.7 (http://support.apple.com/kb/DL1767)
Like (5)
SickTeddyBear
SickTeddyBear
30 September 2014
Note, it doesn't matter what your default shell is, you need to apply this patch no matter what, because as long as the bash binaries are on your system, then it's vulnerable.
Like (2)
Amc3
30 September 2014
Terminal show that this patch changes the GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc. to: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc. and I had read that bash was vulnerable up to 4.3 so I'm not so sure this is fully the cure as very little is provided at Apple support pages regarding this patch nor issue except boilerplate text as follows: This update fixes a security flaw in the bash UNIX shell. For more information on the security content of this update, see http://support.apple.com/kb/HT1222 which states: Apple security updates This document outlines security updates for Apple products. For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
Like
Version 1.0
3 answer(s)
Wevah
Wevah
30 September 2014
This is a patched version on the 3.2 branch, that's all.

Apple is slow at posting security content pages, though. :/
Like
zaydon
zaydon
30 September 2014
Modern bash's includ 3.2, 4.1, 4.2, 4.3. All have a certain patch level to mitigate CVE's as they come about. What's concerning is not that apple still uses 3.2. This is a very stable and known good version. It's that they didn't apply patch level 54 that includes two new CVE's that were discovered (6277, 6278) and already sent upstream as you can see here. http://ftp.gnu.org/gnu/bash/bash-3.2-patches/
Red Hat is just eating apple's lunch on the update speed. I know there is lots of testing involved, but apple must have a QA department the size of the whole red hat company.
Like (4)
SickTeddyBear
SickTeddyBear
30 September 2014
Apple has always done a poor job of keeping the open source components of OS X up to date in a timely manner. Anyone who knows what they are doing should not be waiting around for Apple in regards to this issue. I've completely replaced the Apple provided bash with my own (that means actually overwriting the Apple binaries), and don't plan on looking back.
Like (1)
anonymous-thrush-1121
30 September 2014
Welcome, welcome, welcome.
Like
Version 1.0
Free

2.1

App requirements: 
  • Intel 64
  • Intel 32
  • OS X 10.9.5 or later
Category: 
Developer Website: 
Download(3 MB)MacUpdateInstall with MacUpdate

Downloaded & Installed 4,411 times