By Jim Finkle
| BOSTON, Sept 25
BOSTON, Sept 25 Hackers have launched attacks
exploiting the newly identified "Shellshock" computer bug,
researchers warned on Thursday, as news surfaced that an initial
patch for the issue was incomplete, suggesting even updated
systems were vulnerable.
The attacks came as security experts scrambled to determine
how many systems and what types of computers are vulnerable to
"Shellshock," which some say may be as serious as the
"Heartbleed" vulnerability that surfaced in April.
"Shellshock" is a bug in a piece of software known as "Bash"
that runs the command prompt on many Unix computers, including
some Linux servers that run websites, and tiny computers inside
consumer devices such as routers and web cams.
"We don't actually know how widespread this is. This is
probably one of the most difficult-to-measure bugs that has come
along in years," said Dan Kaminsky, a well-known expert on
Internet threats.
For an attack to be successful, a targeted system must be
accessible via the Internet and also running a second vulnerable
set of code besides Bash, computer experts said.
"There is a lot of speculation out there as to what is
vulnerable, but we just don't have the answers," said Marc
Maiffret, chief technology officer of cybersecurity firm
BeyondTrust. "This is going to unfold over the coming weeks and
months."
Joe Hancock, a cybersecurity expert with insurer AEGIS in
London, said in a statement that he is concerned about the
potential for attacks on home broadband routers and controllers
used to manage critical infrastructure facilities.
"In some areas this will be a challenge to fix, as many
embedded devices are not designed with regular updates in mind
and will never be able to be patched," Hancock said.
Linux makers released patches to protect against attacks on
Wednesday, though security researchers uncovered flaws in those
updates, prompting No. 1 Linux maker Red Hat Inc to
advise customers that the patch was "incomplete."
"That's a problem. It's been a little over 24 hours and
we're still in the same boat," said Mat Gangwer, lead security
consultant at Rook Security. "People are kind of freaking out.
Rightfully so."
Russian security software maker Kaspersky Lab reported that
a computer worm has begun infecting computers by exploiting
"Shellshock."
The malicious software can take control of an infected
machine, launch denial-of-service attacks on websites to disrupt
their operations and scan for other vulnerable devices,
including routers, said Kaspersky researcher David Jacoby.
He said he did not know who was behind the attacks and could
not name any victims.
"Heartbleed" is a bug in an open-source encryption software
called OpenSSL. The bug put the data of millions of people at
risk, as OpenSSL is used in about two-thirds of all websites. It
also forced dozens of technology companies to issue security
patches for hundreds of products that use OpenSSL.
(Additional reporting by Carolyn Cohn; Editing by Dan Grebler)