September 30, 2014

Apple has released updates to insulate Mac OS X systems from the dangerous “Shellshock” bug, a pervasive vulnerability that is already being exploited in active attacks.

osxPatches are available via Software Update, or from the following links for OS X Mavericks, Mountain Lion, and Lion.

After installing the updates, Mac users can check to see whether the flaw has been truly fixed by taking the following steps:

* Open Terminal, which you can find in the Applications folder (under the Utilities subfolder on Mavericks) or via Spotlight search.

* Execute this command:
bash –version [author’s note: my WordPress install is combining these two dashes; it should read the word “bash” followed by a space, then two dashes, and the word “version”].

* The version after applying this update will be:

OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

96 thoughts on “Apple Releases Patches for Shellshock Bug

    1. Al Varnell

      It will not be appearing in the App Store, though it may be updated silently in the background as a critical update, but for now you must use Apple Downloads.

      1. uhm

        a week passed, but it’s not still in the software update (ml).

        shame on Apple, this is really a critical bug, users want bash fixed and there is no reason this is not in the software update.

  1. BrianKrebs Post author

    Canuck — you may just want to try the links to the direct download that are included in the story.

    1. Stephen Cobb

      The Mavericks update requires that you have already upgraded to 10.9.5 and that was only released about 10 days ago, right?

      I’m wondering how many people are going to stumble into that one.

    2. Dbl303

      i found the manual GNU download and xCode build was relatively quick and painless. A little terminal work never hurt anyone.

    3. Adley DaSilva


      I really enjoy reading your articles. We have been working for three years on a new software technology that will enable complete security to sensitive data from the point of sale. Also, this application will allow electronic data to be sent from a screen display to any mobile device without an EMV, NFC, Wi-Fi or any other type of connection. It would be great if you have the chance to look at our presentation deck and give us your feedback since this is your area of expertise. Thanks. Adley

  2. George

    Is that the correct terminal command? Should be bash –version perhaps?

      1. Wayne

        Single or double hyphen in front of ‘version’ seems to work in my fixed version.

        I, too, wasn’t able to get it through App Store Updates, but the link worked just fine.

  3. Dan

    bash -version reporting ‘3.2.53(1)’ tells me my system has been upgraded to that version of bash. Actually running some of the shell commands published elsewhere (surprised they’re not in this article!) tells me it’s been patched.

  4. Dennis

    Yes, I confirm. One needs to get it from the link in the article. It’s not yet in the updates app.

    Also Brian, please adjust your “bash –version” command in the article. There should be a minus before `version`. Otherwise if people copy-and-paste it, it won’t work. The correct command is:

    bash -version

    PS. I know they both look the same, but they have different character codes.

    1. BrianKrebs Post author

      Dennis, not sure what you’re telling me to adjust. That’s a direct cut and paste from Apple’s advisory.

      1. thecollective

        Actually, the command that worked for me is bash –version (pre-update). Post-update the single dash seems to work.

      2. Thomas Ng

        Hi Brian –

        I think you have an em-dash (“–” instead of a regular ‘dash’ (“-“) in the command string.

        it should be a dash: #bash -version
        instead of an em-dash: #bash –version

        The difference is subtle, but notice the length of the “dash” between the two examples.

        Thank you

      3. timeless

        Hi Brian, is the announcement, it has:

        * Execute this command:

        Unfortunately, WordPress wptexturize is “helpfully” converting two consecutive dashes into an emdash, see:
        for information and a suggestion about how you could work around it.

        I suspect that this would work instead:

        bash -c ‘echo $BASH_VERSION’

        I don’t think WordPress will mangle this command, and hopefully it will produce the same output (I don’t have a Mac [or a Linux/Unix computer for that matter] handy at this time).

        1. timeless

          Who am I kidding?

          wptexturize helpfully converted my simple quotes into smart quotes (which bash won’t like).

          Sorry folks, WordPress makes it too hard to post this content :).

        2. JCitizen

          I thought it was only Windows that . and \ ‘d you right in the C: !!

          BWAHAHAHAHA! 😀

  5. Alan Ralph

    Nothing showing up on Software Update yet, so I downloaded and installed the patch for Mavericks on my system.

    I note that Apple are only patching Lion and later versions – I’m guessing that Snow Leopard and earlier are still vulnerable?

    1. timeless

      More importantly, Snow Leopard and earlier have many other unpatched vulnerabilities.

      If you’re running one of them, please unplug it from all networks. And schedule replacing either the hardware or the OS with something that is still supported.

      1. Bruce

        Must be nice to have unlimited cash to buy the latest hardware. Some folks work for government agencies with tight budgets (or pending cuts) and can’t justify replacing a working G5 with something newer just because the OS can’t be upgraded. At any rate, the machines I have running Snow Leopard were manually patched last week and passed the “vulnerability” test. Other “unpatched vulnerabilities”? Maybe. But the same could be said about any system at any level these days.

        1. Bruce Hobbs

          If my five-year-old MacBook Pro can run Mavericks, where’s your beef? Because someone incorrectly said you had to upgrade hardware? I have a $500 course that teaches people to not be so gullible…

        2. timeless

          I don’t have unlimited cash either.

          The last computer I bought happens to be a G5. I’ve taken my own advice and it is not connected to the Internet.

          If you need an Apple and you need Internet access for it, there are two options that come to mind:
          1. Buy something that’s newer, but used
          2. Buy a tablet, I suspect an iPad (or a used iPad), would be relatively inexpensive.

          You should be able to purchase one of these items for $200-$400 every 2-3 years. Making the cost <$0.50/day, which is really not bad.

          If that doesn't work for you, consider using a Library (I'm writing this post from the local library, they have very nice computers, and helpful people).

          1. Wayne

            Another route is Apple sells refurbished equipment online for a good discount and a longer warranty. My iPad and my 27″ i7 iMac came from those sources. Not as inexpensive as recent/used, but much better prices. My iMac is a 2011 model, since it has 16 gig of RAM and an i7 I expect at least five more years out of it with probably a HD upgrade along the way, once I figure out how to revise my backup methodology.

        3. timeless

          It’s hard to provide a good explanation for just how dangerous what you’re doing is. Here’s the best metaphor I can come up with (my computer ate the first two or three attempts at writing this):

          Imagine you had an Armored Tractor from WW2 (the US Army artillery was related to the non military tractors of the time — component reuse). Imagine that the government surplussed their tractor to you. You use it for a while, and then you leave it (fueled) in your backyard. Some time later, there are reports of hoodlums going around the neighborhood taking tractors for joyrides, running over people’s cows, and shooting at schoolyards/buildings.

          The government issues a request that people decomission their tractors, because they’re a public nuisance, an actual risk to the community.

          Example two: your local township discovers that there have been a number of accidental shootings due to guns lying around people’s houses. They create a gun-buyback program, declaring that these tools are dangerous and should not be left unattended.

          Outdated computers running insecure software are regularly taken over by criminals and hoodlums. Some just take your tractor for a joyride, sometimes they accidentally run over a stop sign. Sometimes they knock over a bank. Unlike a handgun or tractor, computers can do more than one thing at a time. Your computer can be (1) robbing a bank, (2) defacing schools, (3) picking the lock of your neighbors house, all while you play (4) Sudoku.

        4. timeless

          At the very least, you’re probably running a vulnerable version of Safari (5.1.x).

          Chrome doesn’t support PPC, Nor do current versions of Firefox.

 (requires x86, but would support 10.6)

 (Long Term support edition; requires x86, but would support 10.6)

          Opera switched to Blink (what Chrome uses), which means you can’t use Opera on your G5.

          That means you can’t safely browse the web.

          Skype (requires x86, but would support 10.5)

          Note that reading email is roughly as dangerous as browsing the web, so you can’t get a mail client.

          Quicken (requires x86; and requires 10.7)

          Once you’ve ruled out Browsing, Emailing, and Skype, there really isn’t much left for your Internet connection. Please do yourself and everyone else a favor and remove the computer from the Internet. — As I’ve noted, I’ve done so.

          If you’re a school:

          If you’re actually a government entity, I’d suggest you contact a newspaper and get them to do a story about how the systems you’re using are insecure. In the old days, I’d suggest speaking to the Washington Post columnist behind the Security Fix. I’m not sure if he’d cover such a story now that he no longer works at the Post, but it’s worth a shot.

        5. Rabid Howler Monkey

          Bruce: “the OS can’t be upgraded”

          OS X can’t be upgraded. Have you given any thought to a GNU/Linux desktop install? Both Debian and Ubuntu support the PowerPC architecture:

          P.S. If you don’t want to install GNU/Linux on your G5 Mac, consider booting from a LiveCD. This would be preferable for web surfing, email, media streaming, etc. And you would have access to the G5 Mac OS X programs that you regularly use. Brian recommends Puppy Linux here:

          1. Rabid Howler Monkey

            Correction: Puppy Linux does not support PowerPC, so scratch that. 🙁

            However, the Ubuntu ISO download I linked above also serves as a Linux LiveCD so you can boot it and see how it runs. Adding the ‘–toram’ boot option to the boot command prior to booting provides both a faster and smoother experience if you’ve got 2 GB of RAM on your Mac. See the Ubuntu link for PowerPC Faqs I posted above for instructions regarding the LiveCD including booting it on a PowerPC-based Mac.

            P.S. Faronics Deep Freeze for Mac, reboot-to-restore software, might also be an option for you as it supports OS X Leopard 10.5 and PowerPC. Just note that it is not free. This is about as close as one can get to a LiveCD using the hard drive.

      2. SeymourB

        Good thing I’m not taking your advice and am using a G5 connected to the internet at home. Of course, I don’t use internet plugins, I use a fully patched/updated web browser, I use a fully patched/updated email program – hell I’m even using a fully patched/updated bash. I also use a hardware firewall so there’s no direct access to my system without it first initiating an outbound connection, and Little Snitch (not to mention hardware firewall rules) keeps a handle on outbound connections just fine.

        Just because Apple doesn’t provide X doesn’t mean X doesn’t exist. If you use an old/unpatched Safari,, etc. you’re just as screwed under 10.9.3 as you are under 10.5.8. If you turn to third parties for updated components, you can keep using those older systems just fine, and with perfectly adequate security, provided you block internet access to the old/unpatched components.

        1. Rabid Howler Monkey

          Wasn’t the last version of OS X supported on PowerPC-based Mac hardware Lion, or 10.5? Firefox, SeaMonkey, Chrome and Opera are no longer supported on OS X Lion.

          What web browser are you using on your G5? Do you build it from source code if its open source? Ditto for bash?

          1. SeymourB

            TenFourFox. Current Firefox code. Compiled for PPC platforms. Full source published and available.

            Any more questions? Christ, I swear some people think that if large organizations stop doing X, there’s no way anyone else in the entire world could do X. Those large organizations are staffed by incompetent boobs, the only reason they stopped doing X is for “vision” purposes. “Vision” and a buck will get you a cup of coffee.

            1. Rabid Howler Monkey

              SeymourB: “Any more questions?”

              Just one, and this question is also for Mr. Krebs should he wish to chime in: What about rule number 2 of Krebs’s Basic Rules for Online Security, “If you installed it, update it.”


              Note that this includes the operating system, including the kernel, libraries and the GUI. Am curious if you also build your OS X kernel (read Darwin) and (if you use it, as Cocoa is proprietary) from open source code too…

              In addition, here’s an excerpt from Mr. Krebs regarding the end-of-life for Windows XP in April, 2014:

              “I would submit that if your PC runs XP and came with XP installed, that it might be time to upgrade the computer hardware itself in addition to the software. In any case, beyond this month is not the greatest idea, and it’s time for XP users to consider other options. Don’t forget that there are many flavors of Linux that will run quite happily on older hardware.”

              Why would OS X Lion on a PowerPC be any different than Windows XP on x86? I’ve read multiple articles that the PowerPC architecture was more secure than x86. Perhaps, you can add some detail to this…

          2. Al Varnell

            Might be worth making one small correction here so there is no further misunderstanding.

            The last OS X that would run on a PPC Mac was 10.5 Leopard. OS X 10.7 Lion is still fully supported, but runs only on Intel Macs.

  6. Matt

    Hmm… I just updated my Mavericks, and when I look at the version, it matches what you have above:

    $ bash -version
    GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)

    But when I type the test commands found elsewhere, eg:
    $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

    I get the following output, which supposedly says it’s still vulnerable:
    this is a test

    Any thoughts?

    1. phila

      Won’t be patched in current dev and public beta versions. Future releases will be patched, however.

      1. Al Varnell

        There were test for two of the currently remaining four CVE’s and neither of them tested positive in Mavericks, either before or after applying the patch, so Apple’s version may not have these other vulnerabilities.

  7. Jon Marcus

    Are there exploits that’d work against a non-server desktop or laptop? Any that have been seen in the wild?

    Certainly it’s a good idea to patch this. But as security priorities go, how big a deal is this for Jane User sitting at home on her desktop? (Or at Starbucks on her laptop?)

    1. Jim

      If you’re running a web server on your Mac, and you happen to be using CGI scripts that invoke Bash, then it’s an exploitable problem. I suspect that’s not a lot of Mac users — but of course it’d be prudent to apply any and all security patches, regardless of how likely an exploit is.

    2. Andrew

      If you use DHCP a malicious DHCP server or router (think public wifi) could exploit this bug against you if unpatched. Which is admittedly an unlikely scenario

      1. Jon Marcus

        @Andrew, are you sure? DHCP servers are vulnerable. But I don’t believe there’s a client-side DHCP vulnerability here that’d be addressed by patching bash.

  8. bob

    I get the following result:

    Last login: Tue Sep 30 09:20:21 on ttys000
    myapple:~ myname$ bash –version
    bash: –version: No such file or directory
    myapple:~ myname$

    Any ideas? Running Mountain lion

    1. timeless

      For reference, this is because either Bryan copied from a source which had “helpfully” converted a basic dash into a fancy one, or because the publishing tool that Bryan was using did the same.

      Unix shells (and DOS/Windows command interpreters) take things literally, if you give them input they aren’t expecting, they will treat it like any other normal input.

      `bash` is a command, so the prompt you’re in is able to run it.
      the ` ` space after `bash` delimits the command from its arguments.
      bash takes its arguments parses them for things it recognizes like {dash}version, and the remainder it will use in a moment. The first thing after all arguments and variable settings (A=B, which is related to the attack that’s being fixed…) is the name of a script / function which bash thinks you want it to run. Since it was given: “{long-dash}version”, which isn’t something it was looking for, it looks in your $PATH for a file/program named “{long-dash}version”. When it can’t find “{long-dash}version”, it does you a favor and says so (with a really arcane error message that existing scripts, possible from twenty years ago, can parse to recognize that the file they were asking about doesn’t exist).

      This relates to an earlier request for Bryan to fix his page to use a shorter dash.

      1. bob

        Thank You. I must confess that I didn’t know there were two kinds of dashes.

        1. timeless

          There are actually quite a few, but you should only run into two.

          Here are the more obvious dashes:
          – -
          ‑ ‑
          – –
          — —
          ⸺ ⸺

          * The first one is the one that computers like.
          * The second one is a nonbreaking dash.
          * The third, fourth, and fifth are the n-width, m-width, and double-m-width dashes (that is, a bar at dash elevation of width n, m, or 2 m’s, respectively).
          * The fifth in the default font in my browser is showing a replacement character (indicating it isn’t supported there) — your mileage may vary.

          1. timeless

            thanks to @stvs, we now know how to correctly insert these characters w/o them being corrupted.

            For people trying to read my comment table, just ignore the first column, that was munged by the munger…

  9. bob

    I reran the test but typing in “bash -version” instead of using copy and paste and got the correct results.

  10. David Longenecker

    Brian, I have yet to see anything definitive about iOS. It is possible to gain terminal access to a jailbroken iPhone / iPad, but I don’t have one to check versions on. Lots of speculation that iOS doesn’t contain the vulnerable shell, or that there is no avenue to exploit it if it does, but have you any concrete information on that topic?

    1. Wayne

      I don’t know whether or not iOS is affected, but Apple did just release the patch for 8.0.2 last night for phones after they had to yank the 8.0.1. I installed it on my phone this AM and it seems stable, it’s been fine on my iPad for a few days.

    2. Thomas

      As far as I know, the vulnerability does not affect official iOS products. If you jailbreak the phone or other device, then you are without official support channels 🙂

  11. Anchorjack


    Please revise your article to read:
    “Patches are available … from the following links….”

    Using “Software Update” will download version “GNU bash, version 3.2.51 …”

    As of this a.m., version 3.2.53 is only available via the links you’ve posted.

  12. muffin

    Sorry for this very simple question: could someone confirm that this does not apply to the iPhone?

        1. Thomas

          Tim –

          Yes, that is correct. iOS devices (non-rooted) should not be affected; rooted devices may be susceptible.

          Please see my post above “As far as I know, the vulnerability does not affect official iOS products. If you jailbreak the phone or other device, then you are without official support channels :)”


        2. Jon Marcus

          By that standard any device is vulnerable to any exploit. Because it’s theoretically possible that you took control of it and installed a vulnerable system/application.

          On Android at least, you need to have rooted it *and* installed a mod with bash to have even a theoretical vulnerability. And the most common one (Cyananogenmod) doesn’t have bash as the default shell. So the vulnerable surface is pretty small and well buried. (And Cyanogenmod nightlies already have a patched bash.)

  13. Wayne

    What I’m wondering is whether or not this is a complete patch. Everything that I’ve been hearing is that the *nix patches that were available were only partial, fixing the most immediate problem, and that future patch(es) would be required.

  14. Jim

    Ran the updates and am showing:
    JimT$ bash -version
    GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin12)

  15. timeless

    I don’t have unlimited cash either.

    The last computer I bought happens to be a G5. I’ve taken my own advice and it is not connected to the Internet.

    If you need an Apple and you need Internet access for it, there are two options that come to mind:
    1. Buy something that’s newer, but used
    2. Buy a tablet, I suspect an iPad (or a used iPad), would be relatively inexpensive.

    You should be able to purchase one of these items for $200-$400 every 2-3 years. Making the cost <$0.50/day, which is really not bad.

    If that doesn't work for you, consider using a Library (I'm writing this post from the local library, they have very nice computers, and helpful people).

  16. ShellShocker

    For more information about Shellshock, along with a website and standalone server tester you can visit

    There are instructions on how to patch your system there too.

    Want to help contribute to the project? Click on the GitHub link in the header and send in a pull request.


  17. Unix-Ninja

    Please note, this patch only PARTIALLY fixes shellshock. The common () { :;} attack seems to be mitigated after I applied this patch on Mavericks. However, the () { (a) variant of the shellshock attack still makes it through.

    1. Al Varnell

      Are you talking about:
      env X='() { (a)=>\’ sh -c “echo date”; cat echo; rm ./echo?

      If so, you must first make certain to have first removed the “echo” file from your home folder.

      1. Unix-Ninja

        No, it’s not quite that one.
        env X='() { (a)=>\’ sh -c “echo vulnerable”; bash -c “echo Test 2”

        However, it’s also vulnerable to a few others. Like:

        env “__BASH_FUNC()”='() { echo game over;}’ bash -c ‘ls’

        Basically, Apple’s patch is simply incomplete at best.

        1. Al Varnell

          That assumes those tests actually indicate a vulnerability.

          The second one is specifically written to bypass one of the Apple patch features.

          I tried the tests in “How to Test Bash for Shellshock Vulnerabilities” and passed them all.

          1. stvs

            OS X bash vulnerabilities remain.

            The bash bug is tickled on OS X bash Update 1.0, version 3.2.53(1), with the command:

            env '__BASH_FUNC<ls>()'="() { echo Game Over; }" /bin/bash -c ls

            The latest upgrade of Macports bash, version 4.3.27(1), doesn’t have this vulnerability.

            1. Al Varnell

              Which specific CVE is that supposed to test and what does it reveal for pass and fail? I see it’s been written to specifically avoid Apple’s inadvertent check.

              1. stvs

                env ‘__BASH_FUNC()’=”() { echo Game Over; }” /bin/bash -c ls

                Which specific CVE is that supposed to test and what does it reveal for pass and fail? I see it’s been written to specifically avoid Apple’s inadvertent check.

                OS X bash remains insecure.

                OS X bash insecurely parses the trailing string as a shell command.

                Few of us care which specific CVE category describes this bug, or whether it’s written with Apple in mind or not.

                We just want Apple to upgrade the upgrade soon.

      2. Curt

        @Al Varnell. As per other guidance on StackExchange I ran the command “rm -f echo” as part of testing. Then panicked realizing I just deleted something unconditionally. Wasn’t that critical and needed by my system? What did I delete and why was it there in the first place and do I need to get it back? I have searched everywhere and you are the only person I can find to ask!

        1. stvs

          I ran the command “rm -f echo” as part of testing. Then panicked realizing I just deleted something unconditionally. Wasn’t that critical and needed by my system?

          No, unless you did that from the /bin directory as a sudoer. Type these commands just to make sure:

          which echo
          ls -l `which echo`
          touch echo
          ls -l echo
          rm -f echo

          There’s a big difference between the executable file /bin/echo and an empty file you create in your home directory that’s also named echo.

          If you ever do mess up, make sure you’re running a Time Machine backup and have a full bootable system backup. You can use Time Machine with local disk storage to fix mistakes if you tell it this:

          sudo tmutil enablelocal

          Then just grab the files you need from your incremental backup, whether stored locally or externally.

          1. Curt

            @stvs. Thanks for the reassurance. I was in my home directory. Perhaps I did have an empty ‘echo’ file in there and just didn’t know it (not sure how it got there). When I get home tonight I will run through your commands to just make sure. I still don’t understand why I had an ‘echo’ file in my home folder anyways!

            Seems like there was something there before because now when I run ‘cat echo’ from my home directory I get an error (something about “file not found”).

            1. Al Varnell

              One of the test sequences published elsewhere writes a file to your home directory named “echo” containing only the date and then displays it’s contents if the vulnerability is present. If you don’t remove that file and run the test after the patch was made, the file will still be there and give you a false positive indicating you are still vulnerable. That’s why you were instructed to “rm” it when you were finished with the first test.

              1. Curt

                Thanks for the replies. All is well. Would have been probably better for the original tester to call the file ‘foobar’ or something besides ‘echo’…just my opinion…

                Lots of confusion, multi-patches, multi-threats, and multi-tests. Not all necessarily in sequential order and most of them out of date as soon as they are posted.

                I’m not an expert but still, I can’t understand how such functionality in Bash has ‘remained obscure and unknown’ for so long! As soon as it was discovered it seems like everyone knows of a different attack vector. If everyone knows so much about it, how did this get missed for so long? And certainly the NSA has known about this…

  18. SecurityLurker

    Fixes are included in Yosemite Update 4 as well – as anticipated:

    GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin14)
    Copyright (C) 2007 Free Software Foundation, Inc.

  19. Keyspace

    I’m actually pleased to see Apple acknowledging a security issue in a timely manner and patching it rather than their previous efforts of head in the sand approach to things.

    Well done Apple

  20. Podhack

    Hi all,
    I have the following:
    GNU bash, version 4.2.37(2)-release (i386-apple-darwin12.0.0)

    Have I to fix it? How can I do that?

    1. stvs

      That’s not OS X root shell. OS X uses version 3.2.53(1). You’re probably looking at a Macports or brew bash. Check using these commands:

      /bin/sh --version
      /bin/bash --version
      which bash
      echo $PATH # Put /bin before /opt/local/bin to use OS X ‘s bash

  21. stvs

    my WordPress install is combining these two dashes; it should read the word “bash” followed by a space, then two dashes, and the word “version”

    Brian, for command line stuff please use html escape characters, - for -, &apos; for ' &quot; for &quote; and so forth. The bash version command is typed as:

    bash --version

    which renders as

    bash --version

Comments are closed.