|
 New
'Bash' software bug may pose bigger threat than 'Heartbleed'
Send a link to a friend
[September 25, 2014]
By Jim Finkle
BOSTON (Reuters) - A newly
discovered security bug in a widely used piece of Linux
software, known as "Bash," could pose a bigger threat to
computer users than the "Heartbleed" bug that surfaced
in April, cyber experts warned on Wednesday. |
|
 Bash is the software used to control the command prompt on many Unix
computers. Hackers can exploit a bug in Bash to take complete
control of a targeted system, security experts said.
The Department of Homeland Security's United States Computer
Emergency Readiness Team, or US-CERT, issued an alert saying the
vulnerability affected Unix-based operating systems including Linux
and Apple Inc's Mac OS X.
The "Heartbleed" bug allowed hackers to spy on computers but not
take control of them, according to Dan Guido, chief executive of a
cybersecurity firm Trail of Bits.
"The method of exploiting this issue is also far simpler. You can
just cut and paste a line of code and get good results."
Tod Beardsley, an engineering manager at cybersecurity firm Rapid7,
warned the bug was rated a "10" for severity, meaning it has maximum
impact, and rated "low" for complexity of exploitation, meaning it
is relatively easy for hackers to launch attacks.
"Using this vulnerability, attackers can potentially take over the
operating system, access confidential information, make changes, et
cetera," Beardsley said. "Anybody with systems using Bash needs to
deploy the patch immediately."
US-CERT advised computer users to obtain operating systems updates
from software makers. It said that Linux providers including Red Hat
Inc. had already prepared them, but it did not mention an
update for OS X. Apple representatives could not be reached.
Tavis Ormandy, a Google Inc. security researcher, said via
Twitter that the patches seemed "incomplete." Ormandy could not be
reached to elaborate, but several security experts said a brief
technical comment provided on Twitter raised concerns.
"That means some systems could be exploited even though they are
patched," said Chris Wysopal, chief technology officer with security
software maker Veracode.
[to top of second column] |
He said corporate security teams had spent the day combing their
networks to find vulnerable machines and patch them, and they would
likely be taking other precautions to mitigate the potential for
attacks in case the patches proved ineffective.
"Everybody is scrambling to patch all of their Internet-facing Linux
machines. That is what we did at Veracode today," he said. "It could
take a long time to get that done for very large organizations with
complex networks."
"Heartbleed," discovered in April, is a bug in an open-source
encryption software called OpenSSL. The bug put the data of millions
of people at risk as OpenSSL is used in about two-thirds of all
websites. It also forced dozens of technology companies to issue
security patches for hundreds of products that use OpenSSL.
Bash is a shell, or command prompt software, produced by the
non-profit Free Software Foundation. Officials with that group could
not be reached for comment.
(Reporting by Jim Finkle; Editing by Tiffany Wu and Ken Wills)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.
 |
