How to fix Shellshock Bash on Mac OS X: Mavericks edition

Apple Mac OS X users concerned about the Bash vulnerability dubbed Shellshock got some relief yesterday as Apple published fixes for various versions of OS X. If you are in a hurry to apply the fix, here are the links for: Mavericks, Mountain Lion, and Lion. We have more information on the Shellshock issue here.

But wait, there’s more: OS X 10.9.5!

Note! Before doing the Bash fix on Mavericks you need to be sure that you are running the latest version of Mavericks: 10.9.5. This needs to be installed before you can apply the Bash fix. I’m making a big deal about this because frankly I was sure my Mavericks was up-to-date and I had the latest, greatest version. But it turns out that on September 17 Apple released OS X Mavericks 10.9.5 Update (Combo).

I only found this out after downloading the Bash fix for Mavericks and trying to run it. Apple pops up a message saying I need 10.9.5. To be fair it does say 10.9.5. is required on the fix page when you start the download, albeit in small light gray type. But frankly, I don’t go around with the latest version of my OSes in my head, not to three “decimal” places. Maybe it’s all the traveling I’ve been doing lately but I was totally unaware of 10.9.5 and it’s not like I don’t use my Mac every day (I do, it follows me everywhere). So, I’m going to take a wild guess here and assume that a lot of readers who use Macs are similarly unaware of 10.9.5.

Update Impediments

In some ways, this is no big deal, after all, you want to be running the latest version and this little “gotcha” serves as a reminder, right? Not so fast. First, I’m still mystified by how I missed the OS update. I would have appreciated a note on the Mavericks Bash fix download page that said “BTW, less than two weeks ago we published an update from 10.9.4 to 10.9.5 and you will need to implement that before fixing Bash, and so here’s a link.”

Second point of concern is that best practice for an OS update is to back up the current system before proceeding. That capability is not always on hand, for example when traveling. Predicating a “quick” security fix on an entire OS update could be considered burdensome. For example, I’m just back from a trip and haven’t backed up my MacBook Air since I got home (I know it’s no excuse, but I’m just trying to be honest here).

Third point is the “IF” factor involved in any OS upgrade. For example, what if my attempt to update from 10.9.4 to 10.9.5 fails or stalls? And that is what it did about two hours ago, stalled and then failed. Admittedly it “failed safe” in that it did not trash or brick the system, it just dumped me back to 10.9.4 (which was lucky for me since I had broken my own rule and attempted an update before backing up). The point is, I can’t install the bash fix until I figure out the 10.9.5 thing (there is some discussion about this online).

Another slightly odd aspect to the Bash fix is that it is not currently being pushed through the App Store Update process. You need to download the image file from the links (Mavericks, Mountain Lion, and Lion).

I will try to publish screenshots of the fix process, after I back up my Mac and complete the install of 10.9.5.

FYI: The image for this post is a cinematic pun, the same one my colleague Lysa Myers used for her first post on Mavericks (hint: Starring Tom Cruise).

Author Stephen Cobb, ESET

  • Jammer

    I really would have thought that by now a DDos tool would have been created using the GET Http command along with crafted headers utilising this exploit fromam pool of exposed servers. Theoretically it could be used to take down a lot of servers with a SYN or a simple TCP ping flood.

  • Robert.Walter

    My take is the update store was not used because the fix is a stop gap partial that will be rolled into Yosemite along with several more fixes. I found it super lame that there was no drop down in the Mac app store update page pointing out what a person should do and if the need to do it or wait.

    The OS X update crew better read the memo from tim again and increase their openness settings!

Follow us

Copyright © 2016 ESET, All Rights Reserved.