Dusseldorf A newly discovered vulnerability may jeopardize many Internet users. Attacker can execute commands and thus take control of the computer operating systems such as Linux and Mac OS X from a distance. Even software for Internet server is affected. It is not currently known whether the as “Shellshock” (German: War Trauma) designated gap is already being exploited in the network are circulating but first reports, which suggest. A security researcher has published the vulnerability, now the U.S. government warns.
“The gap shows once again that security problems in all kinds of places can occur,” says the Linux specialist Andreas Godzina. The consequences are still difficult to estimate, but may be larger than other vulnerabilities, says the founder and chief of the Hanoverian IT service Axxeo GmbH in Hannover in an interview with Handelsblatt Online.
The vulnerability affects software called Bash, which is used in Unix-based operating systems. System administrators use them about to enter commands directly from the keyboard – experts refer to this function as a shell. Also, many programs access it. “The matter is particularly dangerous because there are many ways how Bash called by an application,” warns the software company Red Hat, which sells a Linux variant.
For some operating systems there are already updates that fix the bash problem – according to the IT-security agency US-Cert are the flavors of Linux CentOS, Debian, Redhat and Ubuntu. Also, the Apple Mac OS X could be affected. The company initially did not respond to a question on the issue.
The vulnerability is not affecting all operating systems, but is nevertheless present a danger for all Internet users. “The trouble is that probably many web applications access directly or indirectly to the Bash,” says IT expert Godzina. . “Therefore, it may be possible that you can run from the outside any on web-servers commands”
succeed attackers access, they can prepare, for example, foreign server with malicious software – visit users the website will be infected their computers with them. In the worst case, the criminals can hijack the PC and, for example, steal data. Common security measures provide only limited protection.
The dimensions of the problem can not yet be assessed. The U.S. security firm Errata Security claims to have found in a first, superficial examination at least 3000 vulnerable web server. But there are probably many more systems affected, explains the errata security researcher Robert Graham. Also numerous networked devices such as surveillance cameras, can be controlled from a distance, used the bash software. This relates Shellshock and the Internet of Things
Graham Conclusion:., The problem is just as serious as in the case of Heartbleed, a vulnerability in the encryption technology OpenSSL, which in up to two thirds of all servers Internet was concerned.