US warns of Bash bug, a bigger threat than Heartbleed

The U.S. government has joined an array of researchers warning of a security flaw that could allow hackers to access devices ranging from computers to video cameras and steal data.

A vulnerability in some Unix-based systems, such as Linux and Mac OS X, “may allow a remote attacker to execute arbitrary code on an affected system,” the U.S. Department of Homeland Security’s Computer Emergency Readiness Team said in a statement on its website. Systems administrators can fix the flaw with a patch, it said.

The vulnerability affects Bourne again shell, or Bash, one of the most widely installed pieces of software on any Linux system, software maker Red Hat Inc. said in a statement on its security blog. The vulnerability, dubbed Shell Shock, could let hackers insert extra code into a computer leading to data theft or the crashing of networks.

“Shell Shock is incredibly easy to exploit,” Jeremiah Grossman, chief executive officer of Santa Clara-based Internet security company WhiteHat Security said in an emailed response to questions. “Compromise of one affected system can automatically spread to another vulnerable system. If this is the case, Shell Shock could easily turn out to be a much bigger problem than Heartbleed.”

Carolyn Wu, a Beijing-based spokeswoman for Apple, didn’t immediately return phone calls and an email Thursday. Apple’s Trudy Muller, based in Cupertino, California, didn’t respond to an email after normal business hours.

Heartbleed, a security flaw disclosed in April, affected as many as two-thirds of all Internet servers and could allow hackers to intercept traffic including emails, user names and passwords.

At least 3,000 systems vulnerable to Shell Shock were discovered in a scan conducted by Errata Security, with the possibility of as many as 50-times more to be found, the Atlanta-based team of security researchers wrote in a blog post.

“Today’s bash bug is as big a deal as Heartbleed,” Robert Graham of Errata said in an earlier blog post yesterday, noting that Internet-of-things devices such as video cameras are also vulnerable. “The bug interacts with other software in unexpected ways.”

While Heartbleed was limited to a specific version of OpenSSL, used by companies to secure Internet traffic, the bug in Bash has been around much longer with many older devices that are unlikely to be patched, Graham wrote.