WASHINGTON-
The US government and technology experts warned Thursday of a vulnerability in some computer-operating systems, including Apple’s Mac OS, which could allow widespread and serious attacks by hackers.
The flaw affects “Unix-based operating systems” powered by Linux and Apple’s Mac OS, said the warning from the US Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security.
CERT said that if hackers exploit this they could take control of a PC: “Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”
The agency said a patch was available for the flaw, which is described by security researchers as “Bash” or “Shellshock.”
Some said the security hole would be more damaging than the “Heartbleed” bug which affected millions of computers worldwide earlier this year.
– Bigger than Heartbleed –
“This is going to be much bigger than Heartbleed,” said Rahul Kashyap, chief security architect at Bromium Labs, a California-based security firm.
Kashyap said the Bash bug could affect millions of devices, from Web servers to Macintosh computers to webcams and other devices which connect to the Internet using open-source operating systems based on Linux.
Even though no exploit of the flaw was seen in the first hours since the vulnerability was made public, Kashyap said he expected “a huge impact in the next few days.”
Independent security consultant Graham Cluley agreed that if hackers create a worm that exploits the flaw, “it would, without question, make the Bash bug a more serious threat than the Heartbleed OpenSSL bug that impacted many systems earlier this year.”
While Heartbleed allowed unauthorized parties to spy on computers, “the Shellshock Bash bug allows attackers to hijack computers, and use them for their own purposes,” Cluley said in a blog post.
The computer security firm Symantec said it “regards this vulnerability as critical, since Bash is widely used in Linux and Unix operating systems running on Internet-connected computers, such as Web servers.”
Symantec added in a statement: “Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network.”
The news comes months after a panic among some security experts over Heartbleed, a flaw in a commonly used online platform for encrypted communications.
Internet users were advised to change passwords to online accounts or services, but only after checking to make sure the Heartbleed flaw was fixed and new certificates of online identity installed.
In the case of Bash, Kashyap said that users of computers and other devices should look to patch their systems quickly when updates become available but also cautioned to “watch out for scams, which could be fake updates” to install malware.
Comments are closed.