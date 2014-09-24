(Adds comments from Department of Homeland Security, and
By Jim Finkle
BOSTON, Sept 24 A newly discovered security bug
in a widely used piece of Linux software, known as "Bash," could
pose a bigger threat to computer users than the "Heartbleed" bug
that surfaced in April, cyber experts warned on Wednesday.
Bash is the software used to control the command prompt on
many Unix computers. Hackers can exploit a bug in Bash to take
complete control of a targeted system, security experts said.
The Department of Homeland Security's United States Computer
Emergency Readiness Team, or US-CERT, issued an alert saying the
vulnerability affected Unix-based operating systems including
Linux and Apple Inc's Mac OS X.
The "Heartbleed" bug allowed hackers to spy on computers but
not take control of them, according to Dan Guido, chief
executive of a cybersecurity firm Trail of Bits.
"The method of exploiting this issue is also far simpler.
You can just cut and paste a line of code and get good results."
Tod Beardsley, an engineering manager at cybersecurity firm
Rapid7, warned the bug was rated a "10" for severity, meaning it
has maximum impact, and rated "low" for complexity of
exploitation, meaning it is relatively easy for hackers to
launch attacks.
"Using this vulnerability, attackers can potentially take
over the operating system, access confidential information, make
changes, et cetera," Beardsley said. "Anybody with systems using
Bash needs to deploy the patch immediately."
US-CERT advised computer users to obtain operating systems
updates from software makers. It said that Linux providers
including Red Hat Inc had already prepared them, but it
did not mention an update for OS X. Apple representatives could
not be reached.
Tavis Ormandy, a Google Inc security researcher,
said via Twitter that the patches seemed "incomplete." Ormandy
could not be reached to elaborate, but several security experts
said a brief technical comment provided on Twitter raised
concerns.
"That means some systems could be exploited even though they
are patched," said Chris Wysopal, chief technology officer with
security software maker Veracode.
He said corporate security teams had spent the day combing
their networks to find vulnerable machines and patch them, and
they would likely be taking other precautions to mitigate the
potential for attacks in case the patches proved ineffective.
"Everybody is scrambling to patch all of their
Internet-facing Linux machines. That is what we did at Veracode
today," he said. "It could take a long time to get that done for
very large organizations with complex networks."
"Heartbleed," discovered in April, is a bug in an
open-source encryption software called OpenSSL. The bug put the
data of millions of people at risk as OpenSSL is used in about
two-thirds of all websites. It also forced dozens of technology
companies to issue security patches for hundreds of products
that use OpenSSL.
Bash is a shell, or command prompt software, produced by the
non-profit Free Software Foundation. Officials with that group
could not be reached for comment.
(Reporting by Jim Finkle; Editing by Tiffany Wu and Ken Wills)