Apple is not addressing the Bash bug

Apple has explicitly said that they are addressing the bash bug, and that they will issue a patch for it as soon as it is ready.<p>&gt; &quot;we are working to quickly provide a software update.&quot;<p><a href="http://www.huffingtonpost.com/2014/09/26/shellshock-bug_n_5888204.html" rel="nofollow">http:&#x2F;&#x2F;www.huffingtonpost.com&#x2F;2014&#x2F;09&#x2F;26&#x2F;shellshock-bug_n_58...</a><p>Want to get mad at a company? How about Netgear, which as far as I can tell has provided no official statement, warning, or patch for their consumer routers and APs.<p>Or how about LG? I have an LG Linux-based smart TV and I can&#x27;t find one thing they&#x27;ve said about Shellshock. (In fact, I have not received a software or firmware update to that TV for well over a year at all.)<p>Or how about Synology, who said almost the exact same thing Apple did. Where are the posts suggesting we all stop putting our data into Synology NAS?<p>&gt; A thorough investigation by Synology shows the majority of Synology NAS servers are not concerned. The design of Synology NAS operating system, DiskStation Manager (DSM), is safe by default. The bash command shell built-in in DSM is reserved for system service use (HA Manager) only and not available to public users. For preventive purpose, Synology is working on the patches addressing this bash vulnerability and to provide them as soon as possible.

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities… With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.” -Apple<p>Apple says they are working on a fix. Given that other vendors like RedHat had to issue multiple patches before they finally squashed the bug, I think it is far too early to claim that Apple isn&#x27;t fixing this in a timely manner.

Apple really got off super easy on the iCloud thing. As the article alludes to, they knew for months before the break-in, heck a lot of people on HK knew for months before the break-in (there was an article about it months ago) and yet they did nothing. Then when someone utilised that well publicized issue to break into accounts they pretended like they couldn&#x27;t have seen this coming and it was a &quot;targeted break-in&quot; whatever the heck that means.<p>If it was any other company they would have got shit all over. Apple just has a very poor security culture internally, they&#x27;re like Microsoft pre-Windows XP SP2. Microsoft made a huge cultural shift, it is about time Apple do the same.

&gt; While it should actually be a reasonable assumption, this is likely inaccurate both concerning public servers<p>Funny, I have personally worked at a company which ran their frontend on Mac Mini&#x27;s. They weren&#x27;t using CGI, but at least part of the assumption that people don&#x27;t run Apple web servers is false.<p>Also, Mac supports running an Apache instance configured to run CGI scripts out of the box, correct? I haven&#x27;t personally used it.

There is a handy script to get the Bash tarball from opensource.apple.com, apply patches 52, 53, and 54 from ftp.gnu.org, build it, and then prompt to replace &#x2F;bin&#x2F;bash and &#x2F;bin&#x2F;sh. Xcode required.<p><a href="https://github.com/tjluoma/bash-fix" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;tjluoma&#x2F;bash-fix</a><p>(yes, you have zsh on OSX by default)

For anyone wanting to patch their Mac (especially any older Macs, right back to 10.4 PPC) to the latest 4.3.27 bash without compiling themselves, TenFourFox posted a binary a few hours ago &amp; some simple Terminal instructions:<p><a href="http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html" rel="nofollow">http:&#x2F;&#x2F;tenfourfox.blogspot.com&#x2F;2014&#x2F;09&#x2F;bashing-bash-one-more...</a><p>TenFourFox are the people behind Firefox for old PPC Macs. The binary they posted today includes a patch for CVE-2014-6277, which bash 4.3.26 didn&#x27;t have.

Is it worth filing radars with CVE references to put some pressure on this?

Fix has been released: <a href="http://support.apple.com/kb/DL1769" rel="nofollow">http:&#x2F;&#x2F;support.apple.com&#x2F;kb&#x2F;DL1769</a>

Maybe I&#x27;m not doing things right, however, when I run the test code for shellshock my 10.9.4 box seems immune.<p>Maybe it&#x27;s homebrew patching it...

Isn&#x27;t Apple stuck to an old version of Bash due to the GPL, just like they were with GCC?

Isn&#x27;t this irrelevant since no one is 1) using CGI on Macs and 2) no one is using a Mac as a server?

The fact the post was shared on Google Plus speaks volumes.