Apple has responded to concerns about “Shellshock,” a pair of vulnerabilities in versions of the GNU Bourne-Again Shell (bash), issuing a statement that the company is “working to quickly provide a fix” to the vulnerability. However, a company spokesperson said that most Mac OS X users have nothing to fear.
In an email to Ars Technica, an Apple spokesperson provided the following statement from the company:
"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
Update: Chet Ramey, the maintainer of bash, said in a post to Twitter that he had notified Apple of the vulnerability several times before it was made public, "and sent a patch they can apply. Several messages." So it's not certain why Apple hasn't already packaged that fix for release, other than