“The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities,” said Apple in a statement emailed to various press outlets. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
If you are one of the “advanced UNIX users” that Apple refers to then the safest course of action is to disable the services in question until the company is able to get an update out, though Apple hasn’t been specific in saying which services are affected. What makes Shellshock so dangerous is that it’s been present in every UNIX system since way back in 1989, so there are a lot of potentially exposed systems out there.
As a result the National Vulnerability Database rated the severity of the problem at “10.0 HIGH” earlier in the week. For the average user, there’s not much you can do except wait for the necessary patches to appear; if you run a website or server then you might have a problem. We’ve put together a straightforward guide to checking if your site is under threat.
