The US government and technology experts warned Thursday of a vulnerability in some computer-operating systems, including Apple's Mac OS, which could allow widespread and serious attacks by hackers. The flaw affects "Unix-based operating systems" powered by Linux and Apple's Mac OS, said the warning from the US Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security.
CERT said that if hackers exploit this they could take control of a PC: "Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system."
The agency said a patch was available for the flaw, which is described by security researchers as "Bash" or "Shellshock." Some said the security hole would be more damaging than the "Heartbleed" bug which affected millions of computers world-wide earlier this year.
Bigger than Heartbleed
"This is going to be much bigger than Heartbleed," said Rahul Kashyap, chief security architect at Bromium Labs, a California-based security firm.
Kashyap said the Bash bug could affect millions of devices, from Web servers to Macintosh computers to webcams and other devices which connect to the Internet using open-source operating systems based on Linux.
Because the software is so prevalent, "it means attackers can get into your house, your home routers," Kashyap told AFP.
"They could deface a lot of websites on the fly. A lot of damage can be done, and it's a very simple code."
Even though no exploit of the flaw was seen in the first hours since the vulnerability was made public, Kashyap said he expected "a huge impact in the next few days."
Independent security consultant Graham Cluley agreed that if hackers create a worm that exploits the flaw, "it would, without question, make the Bash bug a more serious threat than the Heartbleed OpenSSL bug that impacted many systems earlier this year." While Heartbleed allowed unauthorised parties to spy on computers, "the Shellshock Bash bug allows attackers to hijack computers, and use them for their own purposes," Cluley said in a blog post.
'Staggering' potential
Gavin Millard at the security firm Tenable also expressed concern on the extent of the flaw.
"The potential for attackers utilising Shellshock is huge," he said.
"With millions of Unix and Linux servers being vulnerable and running web services that hackers can connect to, the attack surface is staggering," he wrote in a blog post.
Johannes Ullrich at the SANS Internet Storm Center said the patch for the flaw "is incomplete" and that people using affected systems "should try to implement additional measures" which could include beefed-up firewalls or other software changes.
Eugene Kaspersky, who heads the Kaspersky Lab security group, said in a tweet that the flaw is serious.
The Bash bug "is BAD, expect a lot of exploits and hacked websites to be disclosed in the coming weeks," he wrote.
Researcher Robert Graham of Errata Security said that unlike Heartbleed, this bug "has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug."
The computer security firm Symantec said it "regards this vulnerability as critical, since Bash is widely used in Linux and Unix operating systems running on Internet-connected computers, such as Web servers."
Comments
Comments are closed for this article.