Experts have discovered a new security vulnerability – dubbed Shellshock bug or Bash – affecting hundreds of millions of computers, servers and devices.
The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s Mac operating system.
Shellshock bug can be used to remotely take control of almost any system using Bash, researchers said.
Some experts said Shellshock bug was more serious than Heartbleed, discovered in April.
Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines.
The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.
Bash – which stands for Bourne-Again SHell – is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS.
Shellshock bug has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s Mac operating system
The US Computer Emergency Readiness Team (US-CERT) issued a warning about the bug, urging system administrators to apply patches.
However, other security researchers warned that the patches were “incomplete” and would not fully secure systems.
Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug.
Cybersecurity specialists Rapid7 rated the Bash bug as 10 out of 10 for severity, but “low” on complexity – a relatively easy vulnerability for hackers to capitalize on.
Security companies have suggested that there is evidence Shellshock is being used by hackers.
The new bug has turned the spotlight, once again, onto the reliance the technology industry has on products built and maintained by small teams often made up of volunteers.
Heartbleed was a bug related to open source cryptographic software OpenSSL. After the bug became public, major tech firms moved to donate large sums of money to the team responsible for maintaining the software.
Similarly, the responsibility for Bash lies with just one person – Chet Ramey, a developer based at Case Western Reserve University in Ohio.
The Heartbleed bug has turned cyber criminals from attackers into victims as researchers use it to grab material from chatrooms where they trade data.
Discovered in early April, Heartbleed lets attackers steal data from computers using vulnerable versions of some widely used security programs.
Now it has given anti-malware researchers access to forums that would otherwise be very hard to penetrate.
The news comes as others warn that the bug will be a threat for many years.
The Heartbleed vulnerability was found in software, called Open SSL, which is supposed to make it much harder to steal data. Instead, exploiting the bug makes a server hand over small chunks of the data it has just handled – in many cases login details or other sensitive information.
The Heartbleed bug has turned cyber criminals from attackers into victims as researchers use it to grab material from chatrooms where they trade data
French anti-malware researcher Steven K said: “The potential of this vulnerability affecting black-hat services (where hackers use their skills for criminal ends) is just enormous.”
Heartbleed had put many such forums in a “critical” position, he said, leaving them vulnerable to attack using tools that exploit the bug.
Steven K said he was using specially written tools to target some closed forums called Darkode and Damagelab.
“Darkode was vulnerable, and this forum is a really hard target,” he said.
“Not many people have the ability to monitor this forum, but Heartbleed exposed everything.”
Charlie Svensson, a computer security researcher at Sentor, which tests company’s security systems, said: “This work just goes to show how serious Heartbleed is. You can get the keys to the kingdom, all thanks to a nice little heartbeat query.”
Individuals who repeat the work of security researchers such as Steven K could leave themselves open to criminal charges for malicious hacking.
The widespread publicity about Heartbleed had led operators of many websites to update vulnerable software and urge users to change passwords.
Many so-called smart devices, such as home routers, CCTV cameras, baby monitors and home-management gadgets that control heating and power, were now known to be vulnerable to Heartbleed-based attacks.
A survey by tech news site Wired found that smart thermostats, cloud-based data services, printers, firewalls and video-conferencing systems were all vulnerable.
Other reports suggest the makers of some industrial control systems are also now producing patches for their software to limit the potential for attack.
People who have accounts on the ObamaCare enrollment website are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding Heartbleed computer virus.
Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government’s Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page.
The Heartbleed computer bug has caused major security concerns across the Internet and affected a widely used encryption technology that was designed to protect online accounts. Major Internet services have been working to insulate themselves against the bug and are also recommending that users change their website passwords.
Officials said the administration was prioritizing its analysis of websites with heavy traffic and the most sensitive user information. A message that will be posted on the health care website starting Saturday reads: “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution.”
The Heartbleed computer bug has caused major security concerns across the Internet
HealthCare.gov website became a prime target for critics of the ObamaCare law last fall when the opening of the insurance enrollment period revealed widespread flaws in the online system. Critics have also raised concerns about potential security vulnerabilities on a site where users input large amounts of personal data.
The website troubles were largely fixed during the second month of enrollment and sign-ups ultimately surpassed initial expectations. Obama announced this week that about 8 million people had enrolled in the insurance plans.
The full extent of the damage caused by the Heartbleed is unknown. The security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. Although it’s conceivable that the flaw was never discovered by hackers, it’s difficult to tell.
The White House has said the federal government was not aware of the Heartbleed vulnerability until it was made public in a private sector cybersecurity report earlier this month. The federal government relies on the encryption technology that is impacted – OpenSSL – to protect the privacy of users of government websites and other online services.
The Homeland Security Department has been leading the review of the government’s potential vulnerabilities. The Internal Revenue Service, a widely used website with massive amounts of personal data on Americans, has already said it was not impacted by Heartbleed.
“We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems,” Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications, wrote in a blog post on the agenda website.
“And we will continue to adapt our response if we learn about additional issues created by the vulnerability.”
Officials wouldn’t say how government websites they expect to flag as part of the Heartbleed security review, but said it’s likely to be a limited number. The officials insisted on anonymity because they were not authorized to discuss the security review by name.