Nicole Perlroth
September 25 2014
Security Experts Expect Shellshock Software Bug to Be Significant
A newly discovered bug in the world’s widely used Linux and Unix operating systems could allow hackers to take control of hundreds of millions of machines around the world, according to security experts.
The bug, named Shellshock, is similar to the Heartbleed bug that generated widespread fear last spring because it would allow anyone with knowledge of the vulnerability to exploit a large number of computer servers. The flaw was discovered in Bash, short for Bourne-Again Shell, a command prompt in Unix. Unix is commonly used in corporate computer networks and is the basis of other operating systems, like Linux and Apple’s Macintosh operating system.
It is not yet clear how the bug affects Macintosh machines.
The bug, which was reported late Tuesday night, would allow hackers to write code that could surreptitiously take over a machine, or run their own programs in the background. The National Institute of Standards and Technology has said that the vulnerability is a 10 out of 10, in terms of its severity, impact and exploitability, but low in terms of its complexity, meaning it could be easily used by hackers.
While the Heartbleed bug affected some 500,000 machines, in early estimates, security experts predicted that the Shellshock bug could ultimately be far more significant.
Researchers at Kaspersky, a security firm, noted that hackers could only use Heartbleed to steal data from a server’s memory in hopes of finding something interesting. But the Shellshock vulnerability makes it possible for someone to take over a machine. The Kaspersky researchers said that as soon as the bug was reported Tuesday they detected widespread Internet scanning by so-called “white hat” hackers — most likely security researchers — as well as people believed to be cybercriminals.
The Department of Homeland Security’s Computer Emergency Readiness Team, known as US-CERT, which warns about security vulnerabilities, advised users and technology administrators to refer to their Linux or Unix-based operating systems suppliers for an appropriate patch.
Researchers at Red Hat, a company that distributes a version of Linux, found that the patch initially offered by the agency was incomplete and noted that hackers could still use Shellshock to take over a machine. They were working on a more comprehensive patch. US-CERT referred experienced technicians administrators to a GNU Bash patch, which patches for the flaw.
For users at home, security experts advised them to stay abreast of updates from techonology manufacturers on their websites, particularly for hardware such as routers.
No comments:
Post a Comment