BOSTON (Reuters) - A newly discovered security bug in a widely used piece of Linux software, known as "Bash," could pose a bigger threat to computer users than the "Heartbleed" bug that surfaced in April, cyber experts warned on Wednesday.
Bash is the software used to control the command prompt on many Unix computers. Hackers can exploit a bug in Bash to take complete control of a targeted system, security experts said.
The Department of Homeland Security's United States Computer Emergency Readiness Team, or US-CERT, issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple Inc's Mac OS X.
The "Heartbleed" bug allowed hackers to spy on computers but not take control of them, according to Dan Guido, chief executive of a cybersecurity firm Trail of Bits.
"The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results."
Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned the bug was rated a "10" for severity, meaning it has maximum impact, and rated "low" for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.
"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," Beardsley said. "Anybody with systems using Bash needs to deploy the patch immediately."
US-CERT advised computer users to obtain operating systems updates from software makers. It said that Linux providers including Red Hat Inc had already prepared them, but it did not mention an update for OS X. Apple representatives could not be reached.
Tavis Ormandy, a Google Inc security researcher, said via Twitter that the patches seemed "incomplete." Ormandy could not be reached to elaborate, but several security experts said a brief technical comment provided on Twitter raised concerns.
"That means some systems could be exploited even though they are patched," said Chris Wysopal, chief technology officer with security software maker Veracode.
He said corporate security teams had spent the day combing their networks to find vulnerable machines and patch them, and they would likely be taking other precautions to mitigate the potential for attacks in case the patches proved ineffective.
"Everybody is scrambling to patch all of their Internet-facing Linux machines. That is what we did at Veracode today," he said. "It could take a long time to get that done for very large organizations with complex networks."
"Heartbleed," discovered in April, is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.
Bash is a shell, or command prompt software, produced by the non-profit Free Software Foundation. Officials with that group could not be reached for comment.
(Reporting by Jim Finkle; Editing by Tiffany Wu and Ken Wills)
Support HuffPost
Our 2024 Coverage Needs You
Your Loyalty Means The World To Us
At HuffPost, we believe that everyone needs high-quality journalism, but we understand that not everyone can afford to pay for expensive news subscriptions. That is why we are committed to providing deeply reported, carefully fact-checked news that is freely accessible to everyone.
Whether you come to HuffPost for updates on the 2024 presidential race, hard-hitting investigations into critical issues facing our country today, or trending stories that make you laugh, we appreciate you. The truth is, news costs money to produce, and we are proud that we have never put our stories behind an expensive paywall.
Would you join us to help keep our stories free for all? Your contribution of as little as $2 will go a long way.
Can't afford to donate? Support HuffPost by creating a free account and log in while you read.
As Americans head to the polls in 2024, the very future of our country is at stake. At HuffPost, we believe that a free press is critical to creating well-informed voters. That's why our journalism is free for everyone, even though other newsrooms retreat behind expensive paywalls.
Our journalists will continue to cover the twists and turns during this historic presidential election. With your help, we'll bring you hard-hitting investigations, well-researched analysis and timely takes you can't find elsewhere. Reporting in this current political climate is a responsibility we do not take lightly, and we thank you for your support.
Contribute as little as $2 to keep our news free for all.
Can't afford to donate? Support HuffPost by creating a free account and log in while you read.
Dear HuffPost Reader
Thank you for your past contribution to HuffPost. We are sincerely grateful for readers like you who help us ensure that we can keep our journalism free for everyone.
The stakes are high this year, and our 2024 coverage could use continued support. Would you consider becoming a regular HuffPost contributor?
Dear HuffPost Reader
Thank you for your past contribution to HuffPost. We are sincerely grateful for readers like you who help us ensure that we can keep our journalism free for everyone.
The stakes are high this year, and our 2024 coverage could use continued support. If circumstances have changed since you last contributed, we hope you’ll consider contributing to HuffPost once more.
Support HuffPostAlready contributed? Log in to hide these messages.