Monday, September 29, 2014 9:23:54 AM
25 September 2014 Last updated at 11:13 ET
Shellshock: 'Deadly serious' new vulnerability found
By Dave LeeTechnology reporter, BBC News
Open padlockMore than 500 million computers could be affected, early estimates suggest
A "deadly serious" bug potentially affecting hundreds of millions of computers, servers and devices has been discovered.
The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple's Mac operating system.
The bug, dubbed Shellshock, can be used to remotely take control of almost any system using Bash, researchers said.
Some experts said it was more serious than Heartbleed, discovered in April.
"Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system," Prof Alan Woodward, a security researcher from the University of Surrey, told the BBC.
"The door's wide open."
Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines.
The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.
Patch immediately
Bash - which stands for Bourne-Again SHell - is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS.
The US Computer Emergency Readiness Team (US-Cert) issued a warning about the bug, urging system administrators to apply patches.
However, other security researchers warned that the patches were "incomplete" and would not fully secure systems.
Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug.
line
Analysis - Mark Ward, technology correspondent
security image security image
Shellshock rates a 10 on the scale of vulnerabilities. As bugs go, it's about as bad as it gets.
Except that the last big bad bug, Heartbleed, rated an 11, according to one expert.
That should mean Shellshock isn't as bad. Right?
Maybe. It's too early to tell.
With Heartbleed, more work had been done by the folks that found it so it was easier to estimate who was at risk. There were lots of big targets, many of which had large user populations.
With Shellshock, the sheer number of potential victims is higher. And we do know that an exploit has been produced and some folks are scanning sites to see which are vulnerable to attacks based around that code.
So far, what's keeping servers safe is the fact that cyber thieves are lazy and tend to copy what has already worked. Finding exploits is specialised, hard work so they only tend to pile in once that appears. With that code already in circulation, the early news about Shellshock may just be the first tremor of a much bigger quake.
line
Cybersecurity specialists Rapid7 rated the Bash bug as 10 out of 10 for severity, but "low" on complexity - a relatively easy vulnerability for hackers to capitalise on.
"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," said Tod Beardsley, a Rapid7 engineer.
"Anybody with systems using Bash needs to deploy the patch immediately."
Security firms have suggested that there is evidence Shellshock is being used by hackers.
"The vulnerability has already been used for malicious intentions - infecting vulnerable web servers with malware, and also in hacker attacks," said Kaspersky Labs.
"Our researchers are constantly gathering new samples and indications of infections based on this vulnerability."
For general home users worried about security, Prof Woodward suggested simply keeping an eye on manufacturer websites for updates - particularly for hardware such as broadband routers.
Free questions
The new bug has turned the spotlight, once again, onto the reliance the technology industry has on products built and maintained by small teams often made up of volunteers.
Heartbleed was a bug related to open source cryptographic software OpenSSL. After the bug became public, major tech firms moved to donate large sums of money to the team responsible for maintaining the software.
Similarly, the responsibility for Bash lies with just one person - Chet Ramey, a developer based at Case Western Reserve University in Ohio.
That such key parts of everyday technology are maintained in this way is a cause for concern, said Tony Dyhouse from the UK's Trustworthy Software Initiative.
"To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up," he said.
"This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK.
"Ultimately, this is a lifecycle problem. It's here because people are making mistakes whilst writing code and making further mistakes when patching the original problems."
Recent AAPL News
- Visa Faces Monopoly Lawsuit; Meta Introduces Celebrity Voices for Chatbot; Stellantis on the Hunt for New CEO • IH Market News • 09/24/2024 10:15:50 AM
- Nike Shares Surge 7% Pre-Market as Elliott Hill Becomes CEO; FedEx Shares Tumble 13% After Profit Miss • IH Market News • 09/20/2024 10:02:58 AM
- Meta Strengthens Child Privacy on Instagram; Google Overturns $1.7 Billion Antitrust Fine; Snap Updates Spectacles • IH Market News • 09/18/2024 10:13:07 AM
- Microsoft Boosts Share Buyback, Raises Dividends by 10%, Intel Secures Chip Deal with Amazon • IH Market News • 09/17/2024 10:40:35 AM
- OpenAI Unveils Strawberry AI Model Series; Boeing Stock Falls 4% Amid Strike; HR Surges 20% on Growth Forecast • IH Market News • 09/13/2024 10:12:55 AM
- Form 8-K - Current report • Edgar (US Regulatory) • 09/10/2024 01:06:34 PM
- Apple Loses EU Dispute; Google’s $2.7 Billion Fine Upheld; Oracle Shares Surge 9% • IH Market News • 09/10/2024 10:02:31 AM
- Apple introduces groundbreaking health features to support conditions impacting billions of people • Business Wire • 09/09/2024 06:41:00 PM
- Introducing Apple Watch Series 10 • Business Wire • 09/09/2024 06:36:00 PM
- Apple introduces iPhone 16 and iPhone 16 Plus • Business Wire • 09/09/2024 06:36:00 PM
- Apple introduces AirPods 4 and the world’s first all-in-one hearing health experience with AirPods Pro 2 • Business Wire • 09/09/2024 06:36:00 PM
- Apple Watch Ultra 2 now available in black titanium • Business Wire • 09/09/2024 06:36:00 PM
- Apple debuts iPhone 16 Pro and iPhone 16 Pro Max • Business Wire • 09/09/2024 06:36:00 PM
- Dell, Palantir, and Erie Will Be Added to the S&P 500; Boeing Avoids Strike; Apple Event Takes Place Today • IH Market News • 09/09/2024 10:05:35 AM
- Broadcom Down 10% Post-Earnings, UiPath Up 8%; Qualcomm Eyes Intel Assets; Salesforce Acquires Own Company • IH Market News • 09/06/2024 11:59:00 AM
- Nvidia Subpoenaed by DOJ, Athira Pharma Shares Plunge 71% After Study Fails, Zscaler Falls 15% Post-Earnings • IH Market News • 09/04/2024 09:50:25 AM
- Big Lots Falls 27%, Considers Bankruptcy; DraftKings Acquires Simplebet, Berkshire Hits $1 Trillion • IH Market News • 08/29/2024 10:06:50 AM
- High Volatility Expected in Nvidia Report, Ambarella Soars 20%, Hertz Strengthens Board, Apple Cuts Jobs • IH Market News • 08/28/2024 09:50:36 AM
- Apple Names New CFO, Sony Hikes PS5 Price in Japan, Santander Launches Share Buyback • IH Market News • 08/27/2024 09:35:22 AM
- Stacks Prepares Nakamoto Upgrade, Record Bitcoin ETF Inflows, Semler Scientific Expands Bitcoin Reserves • IH Market News • 08/26/2024 10:35:56 PM
- Form 8-K - Current report • Edgar (US Regulatory) • 08/26/2024 09:20:33 PM
- Apple announces Chief Financial Officer transition • Business Wire • 08/26/2024 08:30:00 PM
- IBM Closes China Research Division, Uber Fined $324M, Starliner to Return Without Astronauts • IH Market News • 08/26/2024 12:58:21 PM
- Form 8-K - Current report • Edgar (US Regulatory) • 08/23/2024 08:30:44 PM
- Cruise and Uber Join Forces for Robotaxis, Alibaba Shifts Primary Listing to Hong Kong, Altria Hikes Dividend 4.1% • IH Market News • 08/23/2024 12:20:26 PM
FEATURED Cannabix Technologies and Omega Laboratories Inc. Advance Marijuana Breathalyzer Technology - Dr. Bruce Goldberger to Present at Society of Forensic Toxicologists Conference • Sep 24, 2024 8:50 AM
FEATURED Integrated Ventures, Inc Announces Strategic Partnership For GLP-1 (Semaglutide) Procurement Through MedWell USA, LLC. • Sep 24, 2024 8:45 AM
Avant Technologies Accelerates Creation of AI-Powered Platform to Revolutionize Patient Care • AVAI • Sep 24, 2024 8:00 AM
VHAI - Vocodia Partners with Leading Political Super PACs to Revolutionize Fundraising Efforts • VHAI • Sep 19, 2024 11:48 AM
Dear Cashmere Group Holding Co. AKA Swifty Global Signs Binding Letter of Intent to be Acquired by Signing Day Sports • DRCR • Sep 19, 2024 10:26 AM
HealthLynked Launches Virtual Urgent Care Through Partnership with Lyric Health. • HLYK • Sep 19, 2024 8:00 AM