Christian de Looper, Tech Times

A new bug called "the bash bug" or "Shellshock" has big potential to cause big security headaches for many major computer operating systems.

The bug exploits a software program called Bash which is used in Apple's OS X, Linux and others. It also appears in the software used in the Apache web servers, which run over half of the world's websites.

"This vulnerability is potentially a very big deal. It's rated a 10 for severity, meaning it has maximum impact, and 'low' for complexity of exploitation -- meaning it's pretty easy for attackers to use it," said Tod Beardsley from a security firm called Rapid7.

The vulnerability appears in most versions of Bash, from 1.13 to 4.3, and was originally discovered by Stephane Chazelas, a network and telecom administrator at Akamai.

While the bug is a little more limited than Heartbleed, which was discovered last year, it is still problematic because of the fact the bash function is featured in so many programs.

"We already noticed attacks against web servers earlier today, and they are very easy to implement and carry out," said Bogdan Botezatu, an analyst at Bitdefender.

Fortunately, many operating system vendors are preparing patches to create a partial fix to the issue. While they will not fix the problem completely, they will create a barrier for hackers trying to take advantage of the problem.

"In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched," said Joe Hancock, a security expert at AEGIS in London, a specialist insurance company.

Some experts have found that a worm has already begun exploiting the issue and infecting some users' computers. The worm can launch denial-of-service attacks, disrupting websites' operations. It can then scan for other vulnerable devices.

The issue is being compared with the Heartbleed bug because it gives access to the computer's command shell, essentially allowing hackers to do whatever they want on that particular machine. However, Heartbleed being fixed was as easy as installing a newer version of OpenSSL.

"It's not as 'simple' as 'be running Bash,' " said Beardsley, adding that for a particular machine to be vulnerable it needs to running an application that is taking user input. Modern Web frameworks shouldn't generally be affected.

"The good news is that vendors of some of the most popular products affected by the vulnerability have already prepared patches that could at least partially eliminate the problem," said David Jacoby, a security expert at Kaspersky Labs.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags: The Bash Bug Shellshock Linux
Join the Discussion

Related Article