Critical security vulnerability in Bash

A vulnerability has been discovered in Bash that allows remote code execution on an affected computer.  This vulnerability is being referred to as “Shellshock.”  All computers and devices running Bash are vulnerable including Mac OS, Linux, and Unix variants.  University Systems recommends that vulnerable systems are patched as soon as possible.

Patches to resolve this issue are available for:

Currently, no patch is available for Mac OS.  Symantec has provided updated exploit signatures for Symantec Endpoint Protection to protect against this Bash exploit.  To help protect a vulnerable Mac OS computers, we recommend that you install and update Symantec Endpoint Protection.  Symantec Endpoint Protection is available for free for all faculty and staff from the University Systems website.

Additional information about this vulnerability is available from the National Vulnerability Database as CVE-2014-7169.

If you have any questions about this notice, please contact the Computer Help Desk at 250-721-7687 or helpdesk@uvic.ca.


Update September 25, 4:23pm

University Systems is actively working to ensure all online services at UVic are protected. During this time, some UVic services may be unavailable.  We apologize for any inconvenience that this may cause.


Update September 25, 6:00pm

On Sept. 24 a global computer bug referred to as “Shellshock” was discovered in the UK. This bug poses a security vulnerability to Mac OS, Linux and Unix systems.

University Systems is actively working with our vendors to ensure all online services at UVic are protected. As a result, key university services are temporarily offline, including:

  • Banner
  • CourseSpaces

We are working to restore these systems as soon as possible, but at this point it isn’t clear how long that may take. Updates will be posted on www.uvic.ca as soon as they become available.

We apologize for any inconvenience. For more information, contact the Computer Help Desk at 250-721-7687 or helpdesk@uvic.ca.


Update September 25, 9:50pm

Security patches for a number of our services have been applied. Patched services are back online, including CourseSpaces and Banner.

We are continuing to work with our vendors to patch remaining services. We appreciate your continued patience as we work to resolve this problem.


Update September 26, 10:45am

Apple has not yet released a patch for Mac OS; however, in a statement to iMore, Apple has said that OS X is safe unless "users configure advanced UNIX services." Advanced UNIX services may include remote access services via SSH or running a web server.

Until a patch has been released, Mac users can best protect themselves using Symantec Endpoint Protection,which is available for free for all faculty and staff. Symantec has released updates to help protect against "Shellshock."


Update September 29, 3:15pm

Apple has now released OS X bash update 1.0 to address the "Shellshock" vulnerability:

http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks

University Systems recommends that Mac users apply this update.