Update 9/30/2014: Patches are out for OS X, so run Software Update on your Apple Devices
The “Shellshock” bug is serious, because it is a bug that allows a big security hole in all versions of the Bash software going back 25 years. Bash can be included as part of the Unix operating system that runs most of the servers and backbone equipment of the Internet. (And Apple computers; read more below). Many big companies and Internet services have been working fast to patch their systems since the bug was first revealed a few days ago.
Hackers started scanning the web within hours of the announcement of the bug, and the developers of hacking software added “modules” to their own systems to allow people – good guys and bad guys – to scan for the Bash bug and see who and what systems are vulnerable. For the technical lowdown, see the Federal Governments security website GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability | US-CERT
But, as an OS X and/or iPhone user, you’re not really that much in danger.
Yes, OS X ships with Bash, but you need to be more of a Mac poweruser to even have Bash accessible to the outside world and the Internet as a whole. The Unix that runs OS X is under the hood and not accessible to you unless you go looking for it.
Apple has said they are working on a fix, but according to Apple in this news piece at TechCrunch.
“An Apple spokesperson provided the following to TechCrunch regarding the vulnerability, which affects bash, a Unix shell that’s part of Apple’s desktop OS”:
The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.
So, in other words, if you’re not a poweruser, there’s no need to worry. That said, on your iMac and MacBook, you should have Software Update turned on and configured to automatically download and install updates as they become available from Apple. See OS X: Updating OS X and Mac App Store apps.
In OS X Lion and earlier, choose Apple menu > System Preferences… > Software Update.
In OS X Mountain Lion and later, choose Apple menu > System Preferences… > App Store. In Mountain Lion and later, software updates come through the Mac App Store, and you will see a small popup on the desktop with buttons for “Details” and “Update.”
For your iPhone, iPad, or iPod, go to Settings > General > Software Update. See Update your iPhone, iPad, or iPod touch iOS software.
Be sure under the Preferences you have Software Update to check for updates each day and automatically download them, too.
If you have Software Update running in OS X Mountain Lion and later, you may see a badge appear with the number of software updates available on the App Store icon in the Dock.
If you’re good with Terminal (the App that you use to run Bash and work with the Linux that is under the hood of OS X) and want to check the version of Bash on OS X, check out The ‘Shellshock’ Bash vulnerability. That site gives instructions and a test function to run in Bash that will tell you if you’re vulnerable. But again, unless you and know what they are and use SSH and Bash, there’s no real need to worry. My OS X systems are technically vulnerable, according to the test, and I use SSH and Bash, but I know enough to keep my systems safe until there is a patch.
Now, there is cause for concern about the many kinds of embedded systems out there and industrial controls that use Unix and Bash. Those dangers are still being assessed. And we can be sure that the Shellshocked bug will be in the news for some time to come.