Best practices for patching the bash vulnerability

I have created a compiled version of bash 3.2.52 for 10.6, 10.7, 10.8 and 10.9 and made an installer that does the hard work for you. You can deploy if via Casper, ARD or double click on the installer.

Please fill free to download it from my blog

http://blog.designed79.co.uk/?p=2000

Here is some more info on compiling

http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html

It sure would be nice when Apple releases a fix if it doesn't require you to be latest rev of OS. We are 10.9.4 (and don't have staff/resources to push 10.9.5 to all of our computers), and I'm pretty confident Apple's fix won't work for us.

For things like this, Apple should release a small update that can be pushed to every customer. We'll see.

I've sent in a request to our TAM at Apple to see if we can get any general timeline of an update and what OS versions will receive the patch. I'm hoping we see something for at least as far back as 10.7. I'm not optimistic I'll get any additional info before the rest of the public does, but if I get any specifics on Apple's strategy for patching this vulnerability I'll be sure to share it here.

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

Here's another way.

My enterprise ticket response was "Thank you for raising your concern regarding the publication of CVE-2014-6271. For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. I would recommend to monitor the security updates from our Product Security team as outlined on the following page.
https://www.apple.com/support/security/
"

tron_jones that is the process used to make the binaries in my installer

@Lotusshaney][/url

Tested on two machines with both methods. Your .pkg worked great. Thanks for packaging it up. For anybody that doesn't know, you can check your version of bash by opening up a terminal and running

bash --version

@CasperSally Welp, that's disappointing. I won't hold my breath for anything more than that on my end either.

@Lotusshaney

Ditto, your package works for me, thanks for wrapping that up so fast. I love this place!

It's always good fun to have a solution before security dept. comes asking about something.

@dpertschi it would be even more good fun if Apple were as fast and flexible.

Seems to me, if you are truly worried about a security vulnerability, you ought not to be taking bash compiled by anybody else outside of Apple. Not questioning @Lotusshaney and his good heartedness, but what a great way to get your own vulnerability into the wild...
Being that this has existed for quite some time, and there are no known exploits, one might think we could wait a day or two for Apple. maybe make sure ssh is locked down to our admin users, notify our users that being stupid and going to questionable websites might not be the best plan for now. Only install software that is signed from trusted vendors (oh wait, anybody installing any software from a package is at the mercy of the packager with or without this vulnerability.)
I think unless one of my customers demands a fix today, I will be waiting, especially since there is speculation that current fix is not complete too, but only speculation.

@nessts I agree, if you're running a business, might be better to wait for Apple. Now that word is spreading, shouldn't be long before a Security Update is released. I hope. Hacking business systems is unnecessary overhead, now and later if it gets in the way of Apple's own fix.

Agreed, but my company is a huge global education supplier and take security very seriously so I have to have a patch ready. Apple cant or wont give a time line for it

Have to agree with some of the later posts here. I'm not questioning the legitimacy of LotussHaney's installer. I'm sure its fine and works fine, but at the org I'm at they would never approve of installing something not from the vendor directly, at least in relation to patching a vuln. If we complied it ourselves in house, perhaps security would be OK with that, but I'm not even sure about it in that case.
We're submitting a ticket with our enterprise AppleCare support and waiting to hear from them. I'm sure Apple will release a patch soon enough. My only remaining concern will be that we won't likely see a patch for anything under 10.9, so we may need to take some action for our clients still on 10.8 and 10.7, assuming this affects them and I think it does.

On a side note here, I'm not the least bit surprised this is happening. Apple has been routinely ridiculed by the 'nix admins on sites like SuperUser and StackOverflow for shipping an out of date version of bash with OS X. I really wish they'd stay on top of that a little better. I know there are some rare cases where having an older version of an open source product has actually paid off for Apple, but more often than not it can lead to these kinds of security issues.

Yeah, I have the luxury of waiting for Apple here where I am. I used the stack exchange method and compiled one on my own if needed.

http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

Guys, I found a great article on how to patch the vulnerability. I've tested and this fix's it completely until Apple can come out with a patch.
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7

There are in-the-wild exploits happening, so if you have publicly-available machines or anything critical, you might at least want to consider patching or otherwise hardening:

https://gist.github.com/anonymous/929d622f3b36b00c0be1

Yep... I'm waiting on Apple as well. Not to say that we're not at the top of our game on the educational side of things. I just can't justify the 'fix' when Apple (God help me for saying this) must be prepping a fix right around the corner. Hopefully, I'll still be able to make phone calls after ;-)

Totally agree about the privacy concerns. I also would be doubtful of it to be honest. It just that I know most people won't know how to compile from source. Also I have a lot of older 10.6 and 10.7 clients and I know Apple won't patch them but my build will and that might help others.

@Chris_Hafner I saw what you did there. ;)

Hopefully, I'll still be able to make phone calls after ;-)

Hehe. I didn't actually get that at first (slow day for me I guess) but I do now. Good one! :)

As for this issue, thanks for the heads up about the exploits in the wild. Its good information to have, even we ultimately decide to wait on Apple for an official fix. If it looks like it will take too long to get that fix, then I guess we'll need to use one of the above links to compile our own and distribute it. Hopefully Apple won't be dumb@sses and allow it to get to that point though.

Apparently there are two different vulnerabilities at the moment. The original one, @GaToRAiD and @tron_jones pointed out). The new one, CVE-2014-7169, has not yet been patched as far as I have seen.

I'm waiting to deploy anything until both are confirmed to be patched.

Hi,
Anyone have a Extension Attribute for reporting the bash version?

@elliotjordan The second one CVE-2014-7169 is fixed by the instructions in the link. The only thing that is not fixed is it still creates a file in the location that it is run in. The file is blank and has no contents in it.

@Lindsey

#!/bin/bash

echo "<result>$(bash --version | awk '{print $4}' |  sed -e 's|Free||g')</result>"