body-container-line-1

Security experts scramble to plug “bash bug” hole

By Daily Guide
Technology Security experts scramble to plug 8220;bash bug8221; hole
SEP 29, 2014 LISTEN

The bug makes use of a program called a “bash” used in Apple Macintosh, Linux and other operating systems.

Most importantly, it is used in the software of the Apache web servers that run at least half the world's websites.

It's also used in the software that connects many “smart” home devices to the Internet, including household security systems and even lighting systems.

“This vulnerability is potentially a very big deal. It's rated a 10 for severity, meaning it has maximum impact, and “low” for complexity of exploitation - meaning it's pretty easy for attackers to use it,” said Tod Beardsley of the security firm Rapid7.

The vulnerability could potentially allow attackers “to remotely execute a huge variety of devices and web servers,” he said.

The bash program allows users to work within a text shell to input commands, so it's being called “Shellshocked” by some.

The security vulnerability was first reported on Wednesday. The U.S. National Cyber Security Division gave it a 10 out of 10 for “exploitability.”

The bug is more limited in scope than the Heartbleed bug discovered last year, but still problematic because the bash function is found in so many programs.

“We already noticed attacks against web servers earlier today, and they are very easy to implement and carry out,” said Bogdan Botezatu, a threat analyst with Bitdefender, a computer security company based in Bucharest, Romania.

Operating system vendors have already begun issuing partial fixes that make attacks more difficult to implement, said Botezatu. They don't fix the problem but create “a barrier that would buy vendors more time to find an universal approach.”

“The real scale of the problem is not yet clear. It's almost certain that hackers and security researchers are testing web services and Linux software right now and the results of these tests will probably be published in the coming days,” said David Jacoby, a security researcher at Kaspersky Lab.

“The good news is that vendors of some of the most popular products affected by the vulnerability have already prepared patches that could at least partially eliminate the problem. Now it is up to administrators managing vulnerable systems - how quickly they react and update vulnerable software,” he said.

Source: www.topix.com

body-container-line