HACKERS HAVE DISCOVERED an exploit for Unix-based systems that some experts claim could be more serious than the Heartbleed SSL bug uncovered in April.
The bash bug, as implied by its name, is a vulnerability that allows unscrupulous users to take control of Bourne Again Shell (bash), the software used to control the Unix command prompt on some Unix-like systems. This means that systems running Mac OS X and Linux are all potentially susceptible.
What makes the bash bug particularly dangerous is that it simply requires the copy and paste of a single line of code to work, after which hackers can run their own malicious code, potentially taking complete control of the system.
Fireeye director of Threat Research Darien Kindlund explained, "This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic.
"Conservatively, the impact is anywhere from 20 to 50 [percent] of global servers supporting web pages. Specifically, this issue affects web servers using GNU bash to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet."
Patches are already rolling out for most software distros, but the Department for Homeland Security in the US has issued an advisory warning users to take care.
Commenting on the flaw, Professor Alan Woodward from the University of Surrey said, "What many do not realise is that over 50 percent of active web sites run on a web server called Apache which runs on Unix, and hence is potentially vulnerable.
"As we have just passed the point where there are one billion active websites, that means that something in excess of 500 million sites could be vulnerable to this security flaw, compared to only 500,000 for the Heartbleed bug."
However, despite Woodward's speculation, it's too early to say what the impact of the bash bug will be.
He continued, "Vendors are rushing out patches today for the main Unix systems affected, but it assumes that their owners know about the problem and apply the fix. It also does not reach the many other systems and devices that are potentially affected where Linux runs in the background, nearly always unknown to the owner, such as home WiFi routers.
"If one includes such devices, the number of potentially vulnerable systems is enormous, and scans are going on right now to determine how widespread the problem is in practice."
We can confirm that Mageia Linux has already been patched, suggesting that some coders have put in all-nighters to prevent abuse of the flaw.
Robert Horton, managing director of NCC Group's European security consulting division, said "This standard cuts across platforms and thus potentially holds wide impacting ramifications. However, it is neither as media friendly or universally exploitable as the recent Heartbleed bug. But, what we think will cause significant issues is that people will find plenty of unexpected ways to trigger this vulnerability and that means its scope will be wider then appreciated, and this might have a detrimental impact."
The Heartbleed flaw discovered earlier this year led to the creation of the Core Infrastructure Initiative, an industry effort to ensure that the SSL encryption protocol is secure. µ
Sadly that doesn't include offering you a beer
It's like the Hokey Cokey only for the stock market
FruityArmor and SandCat have already made use of the privilege escalation bug
A small village in Siberia will eat well tonight