A newly discovered security bug in a widely used piece of Linux software, known as “Bash,” could pose a bigger threat to computer users than the “Heartbleed” bug that surfaced in April, cyber experts warned on Wednesday.
Bash is the software used to control the command prompt on many Linux computers. Hackers can exploit a bug in Bash to take complete control of a targeted system, security experts said.
The “Heartbleed” bug allowed hackers to spy on computers, but not take control of them, according to Dan Guido, chief executive of cyber security firm Trail of Bits. “The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results,” he said. Guido said he is considering taking his company’s non-essential servers offline to protect them from being attacked by the Bash bug until he can patch the software.
Tod Beardsley, an engineering manager at cyber security firm Rapid7, warned that the bug was rated a “10” for severity, meaning it has maximum impact, and rated “low” for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks. “Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, etc.,” Beardsley said. “Anybody with systems using Bash needs to deploy the patch immediately.”
“Heartbleed,” discovered in April, is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL. (Reporting by Jim Finkle; Editing by Tiffany Wu)