The release comes just days after Apple confirmed that Mac OS X, which is derived from Unix, was vulnerable to the bug, although the company claimed anyone using default Mac settings should be safe.
According to Apple, only users who configured advanced Unix services were at risk, but the company did not name any of the services involved.
Some users resorted to technical workarounds, but now Apple has published automatic updates for the latest versions of OS X.
Researches at security firm FireEye have observed a “significant amount of overtly malicious traffic” using Bash.
This malicious traffic includes malware droppers, reverse shells and backdoors, data exfiltration, and distributed denial of service (DDoS) attacks.
The researchers think it is only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise.
Attackers have deployed scanners looking for vulnerable machines that have been bombarding networks with traffic since the 25-year-old bug was made public on 24 September.
The Shellshock bug is widely regarded as a bigger threat than the Heartbleed OpenSSL bug because it affects a thousand times more computers and is easily exploited to enable attackers to take full control of the target computer.
More on the Shellshock Bash bug
- Apple to release fix for Bash bug
- Shellshock Bash bug exploitation in full swing, warn researchers
- Bash bug could be bigger threat than Heartbleed
- Vendors push new Bash patches as more flaws emerge
- Bash shell bug puts enterprises in more peril than Heartbleed
- On Shellshock Bash vulnerability, experts scramble amid active exploits
- Bash bug creates wave of shell security concerns on social media
- In Heartbleed's wake, Bash shell flaw puts Linux, Mac OS users at risk
The US and UK Computer Emergency Response teams were quick to issue warnings about the Shellshock bug, and urged affected organisations to install software security updates immediately.
The Information Commissioner’s Office (ICO) has also urged organisations and individuals to make sure their IT systems are up to date.
“This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure,” an ICO spokesperson said.
The biggest threat is to the enterprise because many web servers are run using the Apache system, software which includes the Bash component.
But, while most of the main Linux distributions have rushed to release updates, security experts have raised concerns about Unix-based embedded systems in internet of things (IoT) devices and legacy systems used by many critical national infrastructure suppliers.
Security researchers have warned that, while home users and traditional servers may be able to patch their way out of danger, this solution is not available for many embedded devices and Unix-based industrial control systems.
This also applies to supervisory control and data acquisition (Scada) systems commonly used by critical national infrastructure.