(Newswire.net — September 28, 2014) — Researchers revealed on Wednesday this week that a bug has been spotted in Bash — a command-line shell developed in the 1980s and common to Linux and Unix systems — the likes of which may allow attackers to target computers and, if successful, run malicious codes that could let them take control of entire servers pertaining to potentially millions of machines.
While the so-called Heartbleed bug found in April allowed hackers to spy on vulnerable systems due to a previously undiscovered flaw in the open-source encryption software called OpenSSL, security experts say already that the Bash exploit — being referred to as “Shellshock”— is more severe.
According to experts, exploiting it could allow attackers to seize systems that are vulnerable by running unauthorized code that, in a worst case scenario, gives them full privileges on the plundered machine.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
However, the Shellshock, also known as the Bash bug, is a security bug in the widely-used Unix Bash shell, causing Bash to execute commands from environment variables unintentionally.
While Bash is not an Internet-facing service, many Internet-facing daemons call Bash internally. An attacker can use an Internet-facing service that sets the contents of an environmental variable to cause Bash to execute the commands in the variable.
The bug was kept under embargo until 24 September, in order to ensure that security updates were available for most systems as soon as the details of the vulnerability were available to attackers.
“The method of exploiting this issue is also far simpler,” Dan Guido, the chief executive of a cyber security firm Trail of Bits, told Reuters on Wednesday this week of the differences. “You can just cut and paste a line of code and get good results.”
After discovery of Shellshock was identified by researcher Stephane Schazelas on Wednesday, the United States Computer Emergency Readiness Team, or US-CERT, acknowledged the severity of the issue by releasing a statement warning that “exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”
“In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run,” security company Symantec said in a warning on Thursday.
“Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera,” Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, added to Reuters. “Anybody with systems using Bash needs to deploy the patch immediately.”
On the government’s official CERT website, a statement tells visitors to read a Wednesday blog post on the website of security company Red Hat where researchers said patching the exploit was a “critical priority” and, given the “pervasive use of the Bash shell,” should be acknowledged by everyone as a serious vulnerability. Separately, the National Vulnerability Database — a group sponsored by the US Department of Homeland Security, CERT and the National Institute of Standards and Technology — gave the bug a rating of “10” in terms of severity, its highest.