Federal officials are warning the public about a new software bug that hackers could potentially use to take control of hundreds of millions of computers and other machines around the world.
The bug, known as “Shellshock,” is a flaw in Unix-based software systems reportedly used in 70 percent of machines that connect to the Internet, including many phones and computers, as well as refrigerators, medical devices and other “smart” appliances that connect to the Web.
{mosads}It was discovered earlier this month but became public just this week. Some Mac computers, Android smartphones and machines running the Linux operating system are reportedly at risk.
Security experts fear that the bug could be bigger than “Heartbleed,” a glitch in the widely popular OpenSSL encryption technology that threatened people’s credit card numbers, passwords and other sensitive data earlier this year.
Unlike that bug, however, Shellshock could also allow a hacker to remotely take over someone’s machine, potentially allowing them to take down their system.
The Department of Homeland Security this week issued a public alert that the Shellshock bug “may allow a remote attacker to execute arbitrary code on an affected system.”
The National Institute of Standards and Technology rated the threat a 10 out of 10. By comparison, the Heartbleed bug was given a 5.
Despite the concern, however, there have not yet been any confirmed attacks or incidents involving the bug, according to a DHS official.
DHS spokesman S. Y. Lee said in a statement that the department is “working with other agencies across the executive branch to determine any potential vulnerabilities and to implement mitigation strategies if necessary.”
The software shell on which the bug was discovered, known as bash, has been in use since 1989. As such, the vulnerabilities are practically countless, and the potential for abuse is only likely to increase.
“Stay tuned,” security researcher Brian Krebs wrote in a blog post. “This one could get interesting very soon.”