Recently, I applied About OS X bash Update 1.0 to address CVE-2014-6271 and CVE-2014-7169, more commonly known as Shellshock. After applying, I ran Hanno Böck’s bashcheck script and was dismayed to discover my shell was still vulnerable to the exploit.

After reapplying the update and seeing the same lack of success, I naturally felt my iMAC problem was of sufficient urgency to immediately escalate to the Windows server support team. A Shane Golden on the team helped identify the version of bash after the update was not the expected GNU bash, version 3.2.53(1). Instead, and somewhat unexpectedly, I was at version 4.2.20. I received guidance that if I wanted MacOS support from the Windows server team in the future, I should stick with in-box software and updates, and was sent on my way.

My troubleshooting session with the Windows team helped me remember I became a user of the Hombrew, a Ruby based package manager for MacOS. It turned out when I transitioned from using GNU screen to tmux, I also upgraded GNU bash at the same time.

After unsuccessfully search Knowledge Cards for a solution I managed to sort out the issue and get my bash updated to a patched version by issuing the following commands:

brew update
brew unlink bash
brew install bash

After that, I was at GNU bash, version 4.3.28(1), and the bashcheck script provided the validation output I was hoping for:

Testing /usr/local/bin/bash ...
GNU bash, version 4.3.28(1)-release (x86_64-apple-darwin13.4.0)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)