'Bash' software bug may be a bigger threat than 'Heartbleed'

Bash bug worse than Heartbleed, could leave millions of systems vulnerable.

Published Date
25 - Sep - 2014
| Last Updated
25 - Sep - 2014
'Bash' software bug may be a bigger threat than 'Heartbleed'

Security experts have discovered a new security bug called "Bash" that could reportedly pose a bigger threat to computer users than the "Heartbleed" bug that surfaced in April. According to security experts, hackers can exploit a bug in Bash software to take complete control of a targeted system.

The Department of Homeland Security's United States Computer Emergency Readiness Team, or US-CERT, has issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple Inc's (AAPL.O) Mac OS X. US-CERT has advised computer users to obtain operating systems updates from software makers and added that Red Hat Inc had already prepared them.

Dan Guido, chief executive of a cyber security firm Trail of Bits stated that the "Heartbleed" bug allowed hackers to spy on computers but Bash can take complete control of the system. "The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results," he added. 

Google Inc security researcher Tavis Ormandy, stated in Twitter that the patches seemed "incomplete," which raised concerns. "That means some systems could be exploited even though they are patched," said Chris Wysopal, chief technology officer with security software maker Veracode.

"Everybody is scrambling to patch all of their Internet-facing Linux machines. That is what we did at Veracode today," he said. "It could take a long time to get that done for very large organizations with complex networks."

Tod Beardsley, an engineering manager at cyber security firm Rapid7, stated that the bug was rated a "10" for severity, meaning it has maximum impact, and rated "low" for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," Beardsley said. "Anybody with systems using Bash needs to deploy the patch immediately."

"Heartbleed bug," discovered in April is an open-source encryption software called OpenSSL. The bug affected millions of computers as OpenSSL is used in about two-thirds of all websites and forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL. Read: Researchers discover new bugs in Heartbleed

Source: Red Hat Security Blog