Earlier this month, Stephane Chazelas revealed a major flaw in bash, the shell software used in Linux and Unix-related systems, including OS X.
A shell processes commands, whether they are entered directly in a terminal program or contained in scripts.
The flaw, widely known as Shellshock, has been present for two decades.
The US National Institute of Standards and Technology (NIST) assigned it the highest possible severity score of 10.0, because it is remotely exploitable, easy to access, no authentication is required, and it allows the unauthorised disclosure of information, unauthorised modification, and disruption of service.
A particular issue is that bash is thought to be present in a wide range of devices that use Linux such as routers and surveillance cameras. (That should not be interpreted as a blanket claim that all such devices are vulnerable, only that owners should ask the question of their vendors.)
In that regard, the main concern seems to be devices with a web interface that execute cgi (common gateway interface) scripts, as attackers can craft malicious URLs that exploit the bug on such devices, just as they can on regular web servers that use the vulnerable software.
Another part of the problem is that Shellshock is said to give attackers a way to reach other vulnerabilities that may be present in affected systems, for instance to gain higher privileges.
As previously reported, Apple did not release a patch in the same timeframe as Linux distributions did, but that patch has now arrived.
Page 2: Apple's update
Apple's bash update addresses both the original issue identified by Mr Chazelas and a related problem identified by Tavis Ormandy.
Curiously, Apple has not followed its usual practice for distributing security updates.
The bash update is not available via the Mac App Store; instead, users must manually download the patch corresponding to their version of the operating system from Apple's web site.
This particularly affects people still using the Snow Leopard release, the last version of the operating system that supports PowerPC software.
If they don't want to go to the trouble of compiling a current version of bash from the source code, the TenFourFox project (a Mozilla-based browser for Power Macs) offers a prebuilt patched version for ease of installation.
That version apparently works on all versions of OS X up to and including Snow Leopard.
Work is still being carried out to fix related issues that have been uncovered in the 'official' version of bash, so it is possible that there will be at least one further update from Apple.