New Bash Bug security vulnerability 'worse than Heartbleed'

Estimates suggest security flaw could affect over 500 million computers and internet connected devices

A new security vulnerability described as "worse than Heartbleed" could wreak havoc on everything from IT systems to internet-connected devices, experts have warned.

Known as "The Bash Bug" and "Shellshock", the security flaw has been discovered in Linux-based software called Bash - also common on Apple Mac operating systems - and it can be exploited to take control of any other system that uses Bash software.

While the Heartbleed bug - which was discovered earlier this year - could be used to steal confidential information including usernames and passwords, Bash is more dangerous because it can be used to take control of both individual computers and entire networks. It's estimated that Shellshock could be used to target over 500 million computers and internet-connected devices.

The threat is seen as so severe that the United States Computer Emergency Readiness Team (US-CERT) has issued a warning to system administrators, recommending that they apply patches to combat the bug.

Speaking about the vulnerability, Darien Kindlund, director of threat research at FireEye, said that Bash Bug's impact could be much worse than Heartbleed's.

"This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic," he said.

"Conservatively, the impact is anywhere from 20 to 50 per cent of global servers supporting web pages," Kindlund continued. "Specifically, this issue affects web servers using GNU BASH to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet."

However, Lawrence Jones, CEO of Manchester-based internet hosting firm UKFast, argued that it was "too early to tell" how many machines will be affected by Bash Bug.

"Looking at what we've seen so far through our own testing, it appears that you can't exploit much without having prior access to the system. So - as it stands - it seems unlikely that many systems will be vulnerable through arbitrary remote command execution," he said.

"This isn't to say there won't be issues. The world's eyes are now firmly fixed on this story and there will be thousands of people trying to find active exploits, so it is still a risk. Deploying the relevant security patch and running updates is an essential next step," Jones said, going on to suggest that patches should be installed to ensure systems have the best chance of remaining safe.

"My advice would be to apply the relevant patches and updates being offered by Linux providers and keep checking back for further information as further patches may be released. I would also always recommend protecting your systems with a secure firewall," he said.