Belfast Telegraph

Home News World

Cyber experts warn over 'Bash' bug

New warnings are emerging of a security flaw known as the "Bash" bug, which cyber experts say could pose a serious threat to computers and other devices using Unix-based operating systems such as Linux and Mac OS X.

As well as computers, devices including home internet routers, systems used to run factory floors and power plants, and medical equipment could be affected.

The US Department of Homeland Security's Computer Emergency Readiness Team has issued a warning about the vulnerability.

Experts are divided over whether the bug could pose a bigger threat than the "Heartbleed" computer security flaw discovered earlier this year.

Security company Rapid7 said that while the vulnerability "looks pretty awful at first glance", hackers will not be able to exploit most systems running the affected software.

The Heartbleed bug exploited a key piece of security technology used by hundreds of thousands of websites. For more than two years before it was discovered, the flaw exposed passwords and other sensitive data to hackers who could steal that information.

The reason the Bash bug could be worse than Heartbleed is because it gives the attacker a bigger advantage than Heartbleed did, said Tod Beardsley, engineering manager at Rapid7. With Heartbleed, attackers could get an information leak. With the Bash bug, they can get "remote code execution", a way to take control of the affected device to install programmes or run commands, he said.

The bug is rated a maximum 10 out of 10 for its impact and ease of exploitability by the Common Vulnerability Scoring System, an industry standard for assessing how bad security flaws are.

On the other hand, a perfect set of conditions needs to be present for the bug to be open to exploitation. That could limit its effect.

The vulnerability was discovered by Stephane Chazelas of Akamai Technologies. The company said in a blog that it has no evidence that any systems were compromised using the bug.

Akamai said: "Unfortunately, this isn't, 'No, we have evidence that there were no compromises'; rather, 'We don't have evidence that spans the lifetime of this vulnerability'. We doubt many people do - and this leaves system owners in the uncomfortable position of not knowing what, if any, compromises might have happened."

Mr Beardsley said concerned users should wait for the patches device makers and others will be releasing in the coming weeks.

Your Comments

COMMENT RULES: Comments that are judged to be defamatory, abusive or in bad taste are not acceptable and contributors who consistently fall below certain criteria will be permanently blacklisted. The moderator will not enter into debate with individual contributors and the moderator’s decision is final. It is Belfast Telegraph policy to close comments on court cases, tribunals and active legal investigations. We may also close comments on articles which are being targeted for abuse. Problems with commenting? customercare@belfasttelegraph.co.uk

Popular

From Belfast Telegraph