A vulnerability has been discovered within the widely used Bash software included on Linux and Mac operating systems, raising concerns about an exploit that some experts say stands to be more damaging than the Heartbleed bug identified earlier this year.

Researchers revealed on Wednesday this week that a bug has been spotted in Bash — a command-line shell developed in the 1980s and common to Linux and Unix systems — the likes of which may allow attackers to target computers and, if successful, run malicious codes that could let them take control of entire servers pertaining to potentially millions of machines.

But while the so-called Heartbleed bug found in April allowed hackers to spy on vulnerable systems due to a previously undiscovered flaw in the open-source encryption software called OpenSSL, security experts say already that the Bash exploit — being referred to as “Shellshock”— is more severe because exploiting it could allow attackers to seize systems that are vulnerable by running unauthorized code that, in a worst case scenario, gives them full privileges on the plundered machine.

The method of exploiting this issue is also far simpler,” Dan Guido, the chief executive of a cybersecurity firm Trail of Bits, told Reuters on Wednesday this week of the differences. “You can just cut and paste a line of code and get good results.”

After discovery of Shellshock was identified by researcher Stephane Schazelas on Wednesday, the United States Computer Emergency Readiness Team, or US-CERT, acknowledged the severity of the issue by releasing a statement warning that “exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”

ALSO READ  Turkey, Russia failed to reach common position on Syria’s Idlib – Source

In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run,” security company Symantec said in a warning on Thursday.

Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera,” Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, added to Reuters. “Anybody with systems using Bash needs to deploy the patch immediately.”

On the government’s official CERT website, a statement tells visitors to read a Wednesday blog post on the website of security company Red Hat where researchers said patching the exploit was a “critical priority” and, given the “pervasive use of the Bash shell,” should be acknowledged by everyone as a serious vulnerability. Separately, the National Vulnerability Database — a group sponsored by the US Department of Homeland Security, CERT and the National Institute of Standards and Technology — gave the bug a rating of “10” in terms of severity, its highest.

Among those who say Shellshock poses a bigger risk than Heartbleed is Robert Graham, a computer expert at co-founder of Errata Security, who tweeted this week that “enough systems are vulnerable for this to be a real concern.”

“Luckily, since bash is open-source, this bug was quickly found before it became widely deployed,”Graham tweeted, but with the caveat: “This ‘bash’ bug is probably a bigger deal than Heartbleed.”

Indeed, a preliminary scan conducted by Graham this week discovered no fewer than 3,000 vulnerable systems. “Consequently,” he wrote, “…this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks.”

Patches have since been released that are intended to prevent attacks from exploiting the Bash bug, but the Red Hat security blog said on Thursday that attempts to fix the glitch have so far been incomplete.

ALSO READ  North Korea is preparing to unveil new strategic weapon: Yonhap

 

 

Share this article:
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Notice: All comments represent the view of the commenter and not necessarily the views of AMN.

All comments that are not spam or wholly inappropriate are approved, we do not sort out opinions or points of view that are different from ours.

This is a Civilized Place for Public Discussion

Please treat this discussion with the same respect you would a public park. We, too, are a shared community resource — a place to share skills, knowledge and interests through ongoing conversation.

These are not hard and fast rules, merely guidelines to aid the human judgment of our community and keep this a clean and well-lighted place for civilized public discourse.

Improve the Discussion

Help us make this a great place for discussion by always working to improve the discussion in some way, however small. If you are not sure your post adds to the conversation, think over what you want to say and try again later.

The topics discussed here matter to us, and we want you to act as if they matter to you, too. Be respectful of the topics and the people discussing them, even if you disagree with some of what is being said.

Be Agreeable, Even When You Disagree

You may wish to respond to something by disagreeing with it. That’s fine. But remember to criticize ideas, not people. Please avoid:

  • Name-calling
  • Ad hominem attacks
  • Responding to a post’s tone instead of its actual content
  • Knee-jerk contradiction

Instead, provide reasoned counter-arguments that improve the conversation.