A newly discovered bug in shell software Bash can be exploited by hackers to take control of Unix-based systems, in what cyber experts are warning is a more serious threat than the Heartbleed bug that hit the news earlier this year.
The bug in Bash, dubbed "Shellshock" by some experts, threatens systems running Unix, as well related "Unix-like" operating systems such as Linux and Mac OS X.
Bash, standing for Bourne Again Shell, is commonly used shell software that provides the command line user interface on many Unix-based computers.
First developed back in the late 1980s, Bash has been included in many versions of Unix, Linux and Apple's OS X, meaning a large number of computers are potentially vulnerable to the exploit.
When exploiting the Shellshock bug, hackers are able to inject and modify code into the shell of Unix-based operating systems, allowing them to seize control of the computer.
As such, the severity of the exploit has led to the US Computer Emergency Readiness Team (US-CERT) issuing a warning about the vulnerability.
US-CERT recommends those concerned about the bug seek help from the Redhat Security Blog, or consult their respective Linux or Unix operating system vendor for advice.
The bug is said to be more dangerous than the Heartbleed bug discovered back in April, as it enables hackers to control a system rather than just spy on it.
Professor Alan Woodward from the University of Surrey, believes that the threat posed by the bug was originally underestimated. "What many do not realise is that over 50 percent of active websites run on a web server called Apache, which runs on Unix, and hence is potentially vulnerable," he said.
Woodward added: "As we have just passed the point where there are one billion active websites, that means that something in excess of 500 million sites could be vulnerable to this security flaw, compared to only 500,000 for the Heartbleed bug."
Darien Kindlund, director of Threat Research at FireEye, echoed Woodward's concerns. "This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic. Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting webpages," declared Kindlund.
While operating system vendors are scrambling to push out patches to plug the bug, Woodward worries that to address the threat, people need to be aware of it and apply the fix.
He believes that patches will go unapplied as there are many systems and devices, such as WiFi routers, which run Linux in the background without users' knowledge.
"If one includes such devices, the number of potentially vulnerable systems is enormous, and scans are going on right now to determine how widespread the problem is in practice," concluded Woodward.
The impact of the Bash bug has yet to be felt, but with many old systems vulnerable to the bug, the sheer volume of fixes needed make it a large problem.
With the Heartbleed bug, it was revealed that attacks started within 24 hours of its disclosure, despite the bug being around for some time previously.
Apple squashes Steam Link app on 'business conflicts' grounds
Instapaper to 'go dark' in Europe until it can work out GDPR compliance