Security bug Bash, poses bigger threat than Heartbleed

A recently discovered security bug, called Bash or Shellshock, could prove a bigger threat than the infamous Heartbleed bug that, earlier this year caused a devastating impact on computer systems, International Business Times reported (See: 'Heartbleed' bug could badly hit internet, mobile services).

According to experts, the vulnerability stemmed from the Bourne Again Shell (Bash) command line used in many Linux and Unix operating systems, mostly found in major servers and devices connected to the internet-of-things.

According to Tod Beardsley, an engineer at security firm Rapid 7, with the vulnerability, attackers could potentially take over the operating system, access confidential information, and make changes, among other things.

He added, anybody with systems using Bash needed to deploy the patch immediately.

Warning that the Bash bug had the highest severity rating of ''10'' he said it had a "low" complexity rating, meaning hackers could launch massive attacks with relative ease.

According to another security expert, Robert Graham, the bug was "bigger" than Heartbleed. The Heartbleed bug had left millions of systems vulnerable through a flaw in the OpenSSL in April.

The bug led to major cyber thefts, including the personal details of Canadian tax payers, members of Mumsnet as also owners of Android smartphones and tablets.

The new vulnerability could spell disaster for major digital companies, small-scale web hosts and even internet-connected devices, CNET reported.

The security flaw allows execution of malicious code within the bash shell (commonly accessed through Command Prompt on PC or Mac's Terminal application) and allows hackers to take over the operating system and access confidential information.

According to a post from open-source software company Red Hat, "it is common for a lot of programs to run Bash shell in the background." The bug gets "triggered" with addition of extra code within the lines of Bash code.

Graham warns that the Bash bug was bigger than Heartbleed as "the bug interacts with other software in unexpected ways" and because an "enormous percentage" of software interacts with the shell.

"We'll never be able to catalogue all the software out there that is vulnerable to the Bash bug," Graham said. "While the known systems (like your web server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable."

According to Ars Technica the vulnerability could affect Unix and Linux devices, as also hardware running Mac OS X. Ars said, a test on Mac OS X Mavericks (version 10.9.4) showed that it had "a vulnerable version of Bash".