Advertisement

How to patch OS X for the bash/Shellshock vulnerability

TJ Luoma
Updated ·4 min read
0
||environmental concerns, color, horizontal, light, closeup, exterior, outside, night, stormy, center, lightning, storm, nature,

There's a big bad bash bug out in the Unix world called Shellshock, and it is pretty serious. Bash is a ubiquitous bit of software; a command interpreter, or "shell," that provides a basic text-on-a-green-screen interface to POSIX/UNIX and Unix-like systems. Bash is present on every Linux distribution, almost every UNIX system, many Android phones, thousands upon thousands of embedded OS versions on hardware devices -- and on every version of Mac OS X ever shipped.

Like the recent Heartbleed vulnerability in OpenSSH, Shellshock has the potential to be calamitous; in fact, it could be quite a bit worse than Heartbleed, because in theory Shellshock could allow malefactors to run arbitrary commands on lots and lots of UNIX or Linux machines. If that sounds unpleasant, it is.

Shellshock attacks could target several points of entry -- Git and Subversion clients, compromised DHCP servers, etc. -- but the most likely vector would be through the wildly popular Apache HTTP server, included on most UNIX or Linux distributions and on OS X. Mac users might breathe a little easier knowing that Apple removed the System Preference control for the Apache web server in the standard Mountain Lion and Mavericks OS X versions. Apache is still there under the hood, however; it's front and center in OS X Server, and you can easily turn it back on with the free Web Sharing control panel.

If your Mac shipped with Mountain Lion or Mavericks (i.e. you bought it in the last two years), it's highly unlikely your Apache web server is turned on. It also probably got turned off if you upgraded to a current OS X edition, so if you didn't take steps to reactivate it, your potential attack surface for Shellshock is smaller than it would be otherwise. (Not sure if your Mac's web server is on or off? Try visiting http://localhost/ in your browser. No page available = off, anything else such as "It works!" = on.)

The Vulnerability Summary for CVE–2014–6271 rates Shellshock as a "10," and there is no 11. You can read all about it if you want to learn more (I recommend Troy Hunt: Everything you need to know about the Shellshock Bash bug), but here I'm going to share a way to fix it on your Mac running OS X.

As mentioned, the vulnerability is most concerning for Macs used as web servers on the Internet, but the security-minded average user may want to go ahead and patch anyway. This solution comes from Ask Different, one of my favorite Mac Q&A sites. Alex Blewitt (@alblue) wrote up a great answer to How do I recompile Bash to avoid Shellshock. He also wrote it up on his website, so full credit to him for the solution. (If the notion of recompiling a system utility is alien to you, breathe easy; we're going to go step by step.)

First, you need to make sure that you have Apple's Xcode development environment installed (the command-line tools alone are not sufficient). If you don't have Xcode, you can grab it for free from the Mac App Store -- but be prepared to wait for a while, it's a 2.5 GB download. Once the App Store finishes installing it, you need to enable the command-line tools by agreeing to the licenses; open Terminal.app and type "sudo xcodebuild -license" followed by a return. You'll be prompted to review Xcode's licensing agreement, which you are welcome to read in its entirety if you have the time.

Once the license agreement is done, you'll need my bash-fix script which you can download from GitHub, and you'll need to be logged into your Mac as an OS X administrator (if you're the only user of your Mac, your account is the administrator account). Once you have the bash-fix.sh script downloaded, make the script executable -- type chmod 755 and a space, then drag the downloaded script into the Terminal window, and hit return. Next step, run the script -- drag the bash-fix.sh into the Terminal window, and hit Return. The script will download the source to bash, patch it, compile it, install it, and replace the old instances of the bash and sh executables; it will prompt you for your password along the way, so keep an eye out for that.

Apple will eventually issue an official fix for this problem (and these steps should not interfere with that in any way), but if you don't want to wait for Apple's fix, you can get started now.

Unfortunately there is another bash vulnerability which, as of this writing, has not been patched. But it's better to fix one problem than zero problems, especially if you have a public Mac server somewhere.

Michael Rose contributed to this post.

Update: (26 Sep, 10:15 a.m.) If you are getting an error, be sure to run sudo xcodebuild -license and agree to the terms and conditions. Then re-run the script. -- Tj