Thursday, September 25, 2014

Shellshock: Bash bug 'bigger than Heartbleed' could undermine security of millions of websites

super bug or supervirus?

A security flaw discovered in one of the most fundamental interfaces powering the internet has been described by researchers as ‘bigger than Heartbleed', the computer bug that affected nearly every computer user earlier this year.
The 'Bash bug', also known as Shellshock, is located in the command-line shell used in many Linux and Unix operating systems, leaving websites and devices power by these operating systems open to attack.
Like Heartbleed, Shellshock is a pervasive flaw that security researchers say will take years to fix properly. The responsibility to do so however rests with webmasters and systems administrators – rather than average users.
Security firm Rapid7 has rated the bug as 10 out of 10 for its severity, but "low" for complexity - with hackers able to exploit it using just three lines of code.
However, unlike Heartbleed, Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.
If Heartbleed's effect on users was akin to unlocking everyone's front door simultaneously, sending people scrambling back home to turn the key (ie change their passwords) then Shellshock is like giving thieves a new type of crowbar to break in to houses with - they're just as likely to use older methods, but it's still a blow for general security.
Security researchers are especially worried about its potential - but as yet unknown - effect on Apple Mac computers, which uses the Bash software which the bug exploits directly in the form of its command-line program Terminal.

INC News, 25/09/2014

No comments:

VK