Hackers have already begun to exploit a newly-disclosed vulnerability in a small piece of software that could compromise more than 500 million computers, servers and devices, the Fiscal Times and ZDNet report.
The bug, dubbed “Shellshock,” was first reported by security researchers Wednesday. Security experts warn it could be exploited to remotely take control of any operating system that uses a software component known as Bash.
“This is not a bug to fool around with,” security expert Steven J. Vaughan-Nichols says. “It has the potential to wreak havoc with [operating] systems.”
Security experts have been racing to develop fixes and patch systems for Shellshock, but, according to ZDNet, “it appears hackers have been working on tools to attack vulnerable systems.”
A researcher know as Ynette tweeted late Wednesday that she had discovered the first hacker attack “in the wild” that exploited the bug. An attack is considered in the wild if it spreads as a result of normal day-to-day operations on and between the computers of unsuspecting users.
On Thursday, an Australian security group published an update saying it had “received reports that this vulnerability is currently being exploited in the wild. Administrators should patch vulnerable systems as soon as possible.”
According to the Fiscal Times, the Shellshock bug is more serious than HeartBleed, a critical vulnerability in OpenSSL server software that made headlines a few months ago.
“Where Heartbleed only affected some 500,000 machines in total, conservative estimates place Shellshock’s influence at over 500 million compromised machines,” the Fiscal Times says.
In theory, the bug could allow a hacker unfettered access to any data on a vulnerable system — including passwords, personal files and other sensitive information. “Whereas something like Heartbleed was all about sniffing what was going on, this [is] about giving you direct access to the system,” security researcher Prof. Alan Woodward told the BBC.
The good news is that Shellshock is easily fixed and several patches were released Thursday. But security experts are concerned, the Fiscal Times says, about “the potential development of a worm that jumps from one vulnerable system to the next, executing code wherever it can.”
Source: Fiscal Times The New Heartbleed? ‘Shellshock’ Threatens 500M Computers