When I checked a MacBook Pro running, OS X 10.8.4, I saw output indicating it was vulnerable, i.e., I saw "vulnerable" displayed when the command was run. The check can be performed by opening a Terminal window and entering the code. The terminal application is in Applications/Utilities.

$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
vulnerable
this is a test

A bash shell prompt could be otained by a malicious remote user if Remote Login was enabled and Guest Access was also enabled, though, hopefully, if Remote Login was enabled, Guest Access would not be enabled. Of course, a malicious person could also gain access to the system remotely if Remote Login is enabled and a weak password is present for an account on the system that is allowed remote access.

A OS X system could also be vulnerable if it is functioning as a web server and there are scripts present on the server that would allow an attacker to provide any input he wishes that could be executed as code by the script.

Apple released a fix for the vulnerability for OS X systems on September 29, 2014.

After the laptop was upgraded to OS X 10.8.5 and security updates were applied, I didn't see "vulnerable" displayed when the code was executed.

$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
this is a test

And when I tested the related vulnerability CVE-2014-7169, the date was no longer displayed.

$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory

A system that has been patched for both CVE-2014-6271 and CVE-2014-7169 will simply echo the word "date" and the file "echo" will not be created, as shown above.

References:

1. Shellshock Vulnerability: What Mac OS X users Need to Know | The Mac Security Blog
   By Derek Erwin
   Date: September 26, 2014
   Intego - Mac Antivirus & Security
2. Shellshock (software bug)
   Wikipedia

[/security/vulnerabilities/multios] permanent link