NewsBite

Security experts warn ‘Bash bug’ or ‘Shellshock’ flaw lets hackers access computers and mobile devices; could be worse than Heartbleed

COMPUTER security experts are warning a newly-discovered flaw — called ‘Bash bug’ or ‘Shellshock’ — could be worse than the Heartbleed virus.

New bug is bad news for your computer

A NEWLY-discovered computer bug could be worse than the infamous Heartbleed virus, security experts have warned.

The US government and computer security researchers warned of the ‘Bash Bug’ or ‘Shellshock’, a vulnerability in some computer operating systems which potentially allow hackers to take control of a computer and access and change confidential information.

A warning from the US Department of Homeland Security’s Computer Emergency Readiness Team (CERT) said the flaw affects “Unix-based operating systems” powered by Linux and Apple’s Mac OS.

CERT said that if hackers exploit this they could take control of a PC: “Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”

The agency said a patch was available for Shellshock.

Beyond computers, devices ranging from home internet routers to systems used to run factory floors and power plants to medical equipment could be affected.

The flaw was worse to the “Heartbleed” bug, which affected millions of computers worldwide earlier this year.

“One serious concern is that malware authors could exploit the vulnerability to create a fast-spreading worm,” said independent security consultant Graham Cluley.

“If such a worm materialised it would, without question, make the Bash bug a more serious threat than the Heartbleed OpenSSL bug that impacted many systems earlier this year,” Mr Cluley said on his blog.

The difference is that Heartbleed allowed unauthorised parties to spy on computers, “whereas the Shellshock Bash bug allows attackers to hijack computers, and use them for their own purposes,” he added.

Johannes Ullrich at the SANS internet Storm Centre said the patch for the flaw “is incomplete” and that people using affected systems “should try to implement additional measures” which could include beefed up firewalls or software changes.

Eugene Kaspersky, who heads the Kaspersky Lab security group, said in a tweet that the flaw is serious.

The Bash bug “is BAD, expect a lot of exploits and hacked websites to be disclosed in the coming weeks,” he wrote.

However, wecurity company Rapid7 said that while the vulnerability “looks pretty awful at first glance,” hackers will not be able to exploit most systems running the affected Bash software. The Heartbleed bug exploited a key piece of security technology used by hundreds of thousands of websites.

For more than two years before it was discovered, the flaw exposed passwords and other sensitive data to hackers who could steal that information.

The reason the Bash bug could be worse than Heartbleed is because it gives the attacker a bigger advantage than Heartbleed did, said Tod Beardsley, engineering manager at Rapid7.

With Heartbleed, attackers could get an information leak. With the Bash bug, they can get “remote code execution,” a way to take control of the affected device to install programs or run commands, he said.

“This vulnerability is potentially a very big deal,” he told CNET.com. “It’s rated a 10 for severity, meaning it has maximum impact, and low for complexity of exploitation, meaning it’s pretty easy for attackers to use it.”

On the other hand, a perfect set of conditions need to be present for the bug to be open to exploitation. That could limit its effect.

The vulnerability was discovered by Stephane Chazelas of Akamai Technologies Inc. The company said in a blog post Wednesday it has no evidence that any systems were compromised using the bug.

“And unfortunately, this isn’t ‘No, we have evidence that there were no compromises;’ rather, ‘We don’t have evidence that spans the lifetime of this vulnerability.’ We doubt many people do — and this leaves system owners in the uncomfortable position of not knowing what, if any, compromises might have happened,” Akamai said in a blog post on Wednesday.

Bash was released in 1989.

As for what to do, MR Beardsley said to wait for the slew of patches that device makers and others will be releasing in the coming weeks.

Original URL: https://www.news.com.au/technology/security-experts-warn-bash-bug-or-shellshock-flaw-lets-hackers-access-computers-and-mobile-devices-could-be-worse-than-heartbleed/news-story/927dc7eba5bf9d124734ba03709e1dd9