“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” states the Apple public statement.”Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.“
“Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability,” states the Oracle Security Alert for CVE-2014-7169.
“The fixes that are available for immediate application by customers are listed in the Patch Availability Table. This Security Alert will be updated when fixes are available for additional affected Oracle products without sending additional emails to customers. Customers should check this page for updates.
Due to the severity, public disclosure, and reports of active exploitation of CVE-2014-7169, Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.”
On the Internet is also available an unofficial patch that fixes the Bash Bug, in a message sent to the Open Source Software Security (oss–sec) mailing list, the maintainer of Bash, Chet Ramey addressed the vulnerability and issued the patch.
(Security Affairs – BashBug, Oracle, Apple)