You're correct – you'd need to overwrite /bin/bash (think long and hard about this) to update it before Apple ships an update.
The good news is that as long as you're not running a local server, the vulnerability is pretty limited particularly since even if you did have SSH enabled the exploit would require valid authentication first.
There's some potentially funky stuff there like CUPS, which runs a local daemon that serves binary CGIs (though I think it's bound to localhost by default).
> Might be wise to turn all network-listening services off that you don't immediately need until a fix is available.
I would go further and suggest that now is an excellent time to ask which of those services you really need to have at all. The default of blocking incoming connections is right for most people, even developers.
At least on linux that's not true as NetworkManager + dhclient is affected through malicious dhcp packets. There could be attack vectors almost everywhere.
The good news is that as long as you're not running a local server, the vulnerability is pretty limited particularly since even if you did have SSH enabled the exploit would require valid authentication first.