The recent vulnerability that has affected systems running the popular Bash shell can allow an attacker to arbitrarily run code on any system that has a running installation of the unpatched bash shell. This includes every version of OS X, so if you have a Mac that you regularly use, then you can be sure it is updated first and foremost by applying any security updates that Apple issues; however, if you wish to update your system right away then you can download and compile the latest Bash version for OS X, which to date is version 3.2.
Next, you will need to download the Bash source from Apple, patch it, and then compile and install it. This sounds complicated, but can be done by running the following series of commands in the OS X Terminal after you have installed Xcode:
- Download and unpack Bash from Apple:
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
- Change directory to the downloaded Bash folder:
- Download the patch script from Gnu.org, and apply it. These must start with 052 (the first listed here), and then apply subsequent patches sequentially, if available:
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0; curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0 curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
- Go up one directory and then build the patched version (a bunch of text will scroll up when you do this):
- Backup the current Bash and Sh executables:
sudo cp /bin/bash /bin/bash.bak; sudo cp /bin/sh /bin/sh.bak
- Copy the new version into place to make it the default and targeted executible
sudo cp build/Release/bash /bin; sudo cp build/Release/sh /bin
- Remove the execute bit on the backup versions of Bash and Sh to ensure they are not run:
sudo chmod a-x /bin/bash.bak /bin/sh.bak
After you have completed these steps, your system should have a patched version of Bash that is not vulnerable to the problem at hand. Keep in mind that while this is a fix, a more robust or complete solution may develop in the next few days, so be sure to check back here for updates on patches. In addition, if there is an update available from Apple, then be sure to apply that update instead. Doing so will replace any custom builds you have installed.
In addition, keep in mind this fix does not address the issue in full, since the problem at hand may be in hardware devices like routers, media centers, and print servers, some of which are so old that companies are no longer supporting them with updates.
Reverting the patch
To undo this change to OS X and revert your Mac back to the old version of Bash, you can perform the following steps in the Terminal:
- Remove the patched versions of Bash and Sh:
sudo rm /bin/bash /bin/sh
- Rename the backups to their original names:
sudo cp /bin/bash.bak /bin/bash; sudo cp /bin/sh.bak /bin/sh
- Ensure both of these files are executable:
sudo chmod a-x /bin/bash /bin/sh