A nasty bug in many of the world’s Linux and Unix
operating systems could allow malicious hackers to create a computer worm that
wreaks havoc on machines across the globe, security experts say.
A nasty bug in many of the world’s Linux and Unix
operating systems could allow malicious hackers to create a computer worm that
wreaks havoc on machines across the globe, security experts say.
The flaw, called Shellshock, is being compared to last spring’s Heartbleed bug because it lets attackers do some nasty stuff—in this case, run unauthorized code—on a large number of Linux computer servers. The flaw lies in Bash, a standard Unix program that’s used to connect with the computer’s operating system.
The good news is that it doesn’t take long to patch the bug. At
internet infrastructure provider CloudFlare, admins scrambled for about an hour
this morning to fix the flaw, which was disclosed late on Tuesday. “We got 95
percent of it done within 10 minutes,” says Ryan Lackey a security engineer at
the company.
THE FLAW IS BEING COMPARED TO
LAST SPRING’S HEARTBLEED BUG BECAUSE IT LETS ATTACKERS DO SOME NASTY STUFF ON A
LARGE NUMBER OF LINUX SERVERS
Because
Shellshock is easy to exploit—it only takes about three lines of code to attack
a vulnerable server—Lackey and other security experts think there’s a pretty
good chance that someone will write a worm code that will jump from vulnerable
system to vulnerable system, creating hassles for the world’s system
administrators. “People are already exploiting it in the wild manually, so a
worm is a natural outgrowth of that,” Lackey says.
To
exploit the bug, the bad guys need to connect to software such as PHP or
DHCP—which use bash to launch programs within the server’s operating system
There
are still some important questions about the bug. One is whether other
operating systems that use Bash—Mac OS, for example—are vulnerable. Another big
one: how many linux server applications and appliance-like Linux devices—things
like storage servers or video recording devices—might be vulnerable to the
flaw. Many of these Linux systems to not use the Bash software, but those that
do could be vulnerable to attack and difficult to patch.
In
the grand scheme of things, Shellshock is not as big of a problem as, say,
phishing attacks, which continue to trick internet users, says Robert Graham,
CEO of Errata Security. However, it’s “slightly worse than Heartbleed,” he
says. “It’s in more systems. It’s going to be harder to track them down and
patch them, and you can immediately exploit it with remote code execution.”
Heartbleed let criminals steal your username and passwords, but it didn’t make
it quite so easy to run your own malicious software on a vulnerable system,
Graham says.
Like
Heartbleed, the new bug has been around for a long time, and was introduced in
a widely used piece of open source software. In the wake of Heartbleed, the
open source community came up with some money to beef up the security of
several popular open-source tools. And it may be time to add a few
more—including Bash— to that list.
Source: wired.com
No comments:
Post a Comment