‘Bash’ Software Bug Poses Bigger Threat to Computers Than 'Heartbleed'

Cyber experts warned that a new security bug called "Bash" is affecting Linux software, and might be a more serious problem than the "Heartbleed" bug discovered in April that stole 4.5 million patient records.

Bash affects Unix computers by controlling the command prompt to take over the targeted system. The U.S. Computer Emergency Readiness Team (US-CERT) under the Department of Homeland Security has informed affected parties, including Linux and Apple.

Cyber criminals were able to spy on various computer systems, but failed to take full control of them. Bash, on the other hand, is easier to use, which made exploitation simpler, according to Reuters.

"The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results," explained Dan Guido, chief executive of cybersecurity firm Trail of Bits.

Another cybersecurity firm, Rapid7, rated Bash "10" for severity and low rate of exploitation, indicating that it is capable of causing significant problems using simple means. Thus, cyber criminals can use Bash to stage attacks quickly.

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," Rapid7 engineering manager Tod Beardsley described to Reuters. "Anybody with systems using Bash needs to deploy the patch immediately."

The US-CERT urged users of the vulnerable operating systems to ask for updates from the vendors. Linux has prepared patches, while Apple has not announced yet if it will be releasing updates for its Mac OS X. However, Google security researcher Tavis Ormandy expressed his concerns on Twitter, and said the patches may be "incomplete."

The Red Hat's security team has confirmed that the patch is indeed incomplete, according to Mashable. Robert Graham of Errata Security scanned the web servers and found at least 3,000 systems vulnerable to Bash.

"We'll never be able to catalogue all the software out there that is vulnerable to the Bash bug," Graham said, quoted by CNET. "While the known systems (like your Web server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable."