A “deadly serious” bug potentially affecting hundreds of millions of computers, servers and devices has been discovered.
The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s Mac operating system.
The bug, dubbed Shellshock, can be used to remotely take control of almost any system using Bash, researchers said.
Some experts said it was more serious than Heartbleed, discovered in April.
“Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system,” Prof Alan Woodward, a security researcher from the University of Surrey, told the BBC.
“The door’s wide open.”
Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines.
The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.
Bash – which stands for Bourne-Again SHell – is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS.
The US Computer Emergency Readiness Team (US-Cert) issued a warning about the bug, urging system administrators to apply patches.
However, other security researchers warned that the patches were “incomplete” and would not fully secure systems.
Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug.
Shellshock rates a 10 on the scale of vulnerabilities. As bugs go, it’s about as bad as it gets.
Except that the last big bad bug, Heartbleed, rated an 11, according to one expert.
That should mean Shellshock isn’t as bad. Right?
Maybe. It’s too early to tell.
With Heartbleed, more work had been done by the folks that found it so it was easier to estimate who was at risk. There were lots of big targets, many of which had large user populations.
With Shellshock, the sheer number of potential victims is higher. And we do know that an exploit has been produced and some folks are scanning sites to see which are vulnerable to attacks based around that code.
So far, what’s keeping servers safe is the fact that cyber thieves are lazy and tend to copy what has already worked. Finding exploits is specialised, hard work so they only tend to pile in once that appears. With that code already in circulation, the early news about Shellshock may just be the first tremor of a much bigger quake.
Read more at: http://www.bbc.co.uk/news/technology-29361794