According to experts, millions of servers use software vulnerable to Shellshock bug, which lets attackers run commands on that system.
Up to now, a series of attacks on websites and servers using the serious Shellshock bug has been spotted
So far, thousands of servers have been compromised via Shellshock and some have been used to bombard web firms with data, said experts.
The number of attacks and compromises was likely to grow as the code used to exploit the bug was shared.
The Shellshock bug was discovered in a tool known as Bash that is widely used by the Unix operating system and many of its variants, including Linux open source software and Apple’s OSX.
Apple said it was working on a fix for its operating system and added that most users would not be at risk from Shellshock.
Millions of servers use software vulnerable to Shellshock bug, which lets attackers run commands on that system
Attackers have been spotted creating networks of compromised machines, known as botnets, that were then put to other uses.
One group used their Shellshock botnet to bombard machines run by Akamai with huge amounts of junk data to try to knock them offline. Another group used its botnet to scan for more machines that are vulnerable.
Evidence of the scanning and attacks came from honeypots run by security companies. These are computers that have been set up to look vulnerable but which catch information about attackers.
The US and Canada are believed to have issued alerts and told technology staff to patch systems as quickly as possible. Amazon, Google, Akamai and many other tech firms have also issued advisories to customers about the bug.
As well as software patches for vulnerable systems, security firms and researchers are also producing signatures and filter lists to help spot attacks based around it.
[youtube MkEBexRxE_g 650]
Experts have discovered a new security vulnerability – dubbed Shellshock bug or Bash – affecting hundreds of millions of computers, servers and devices.
The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s Mac operating system.
Shellshock bug can be used to remotely take control of almost any system using Bash, researchers said.
Some experts said Shellshock bug was more serious than Heartbleed, discovered in April.
Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines.
The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.
Bash – which stands for Bourne-Again SHell – is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS.
Shellshock bug has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s Mac operating system
The US Computer Emergency Readiness Team (US-CERT) issued a warning about the bug, urging system administrators to apply patches.
However, other security researchers warned that the patches were “incomplete” and would not fully secure systems.
Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug.
Cybersecurity specialists Rapid7 rated the Bash bug as 10 out of 10 for severity, but “low” on complexity – a relatively easy vulnerability for hackers to capitalize on.
Security companies have suggested that there is evidence Shellshock is being used by hackers.
The new bug has turned the spotlight, once again, onto the reliance the technology industry has on products built and maintained by small teams often made up of volunteers.
Heartbleed was a bug related to open source cryptographic software OpenSSL. After the bug became public, major tech firms moved to donate large sums of money to the team responsible for maintaining the software.
Similarly, the responsibility for Bash lies with just one person – Chet Ramey, a developer based at Case Western Reserve University in Ohio.
[youtube aKShnpOXqn0 650]