Shellshock: Apple rolls out OS X patches for Bash bug

Apple has moved to fix the Bash security flaw that affected many of the company's OS X-running computers.

Also known as Shellshock, the bug could allow hackers to take over a victim's computer. The vulnerability involves the execution of malicilous code within the Bash command shell, which is used in many Linux- and Unix-based operating systems, such as OS X.

Apple said it has now patched the flaw in its OS X Lion, Mountain Lion and Mavericks software. The company also set up a site for users to download the Bash update.

Following news of the vulnerability, Apple quickly moved to deny there was a problem and said the vast majority of users shouldn't be affected by the problem and that it was working to provide a software update for its advanced Unix users.

"Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorised users to remotely gain control of vulnerable systems," Apple said last week.

"With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services."

However, while the patch fixes two vulnerabilities, security researchers have discovered a third. According to Greg Wiseman of IT security firm Rapid7, another flaw.

"Amidst the flurry of activity and interest around Shellshock over the last week, several additional bash vulnerabilities have come to light. The initial fix for CVE-2014-6271 was incomplete, leading to CVE-2014-7169 being found," said Wiseman.

He claims to have found the extra vulnerability with a tool called bashcheck, which tests for vulnerabilities in an installed version of Bash, and that he found it to still be vulnerable to CVE-2014-7186. This could result in a denial of service attack preventing a computer from connecting to other networks, it is feared.