- Apr 13, 2013
- 3,152
A SECURITY hole in Unix software code poses an enormous threat to everything from computers to sewerage treatment plants, pump networks, to web servers, traffic lights, airport lights, SCADA systems and even Apple Mac computers.
That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges.
It affects systems that operate Linux, Apple’s OS X operating system, and others, and in its worst case scenario, it opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of.
Australia’s Computer Emergency Response Team said the code vulnerability was possibly the result of human error — a programming mistake. AusCERT information security analyst Marco Ostini said that since its discovery, hackers had been active in exchanging code in chat rooms and on Twitter. “It’s the sort of thing people could do without understanding the technicalities involved,” he said.
Mr Ostini said that because the flaw was part of the building blocks of the internet, the threat was even bigger than that posed by the Heartbleed security hole exposed in April. US company Red Hat, which specialises in providing open-source software to enterprises, logged it on September 14. It was discovered by Stephane Chazelas of internet content delivery giant Akamai. Mr Ostini said that under responsible disclosure practices, the bug’s existence was not reported publicly until today, along with many of the code fixes needed to nullify it.
But to his knowledge Apple has yet to release an update for its OS X operating system which was also affected by the security breach. Apple at this stage is not commenting. It has a policy of investigating security breaches and preparing a patch before making any public comment. Mr Ostini said the bug also could possibly affect iOS — the operating system used with the iPhone and iPad, and also possibly Windows, but this was less likely. “Code vulnerabilities are a dime a dozen, but this particular vulnerability is easy to exploit,” he said. Sources have told The Australian that FreeBSD, Oracle’s Solaris unix system, HP’s implementation of Unix HP-UX, Amazon Web Services, and Android are among others that are also yet to be patched.
Mr Ostini said hackers could exploit the security hole by using CGI (Common Gateway Interface) web script which is used to display web pages. Computer and mobile users which accessed these sites could give hackers the ability not only to control their machines but also to access the networks they are connected to. “The web script could take over the machine and give them access to everything,” he said. He said the bug was similar to a weakness exposed in Unix about 30 years ago.
Mr Ostini said he was not aware of reports of anyone successfully exploiting the vulnerability, but he said there was “lots of chatter” in various parts of the internet about it, along with guides on how to exploit it, including code to cut and paste and try out. Companies such as Red Hat, Ubuntu and Akamai had issued interim patches which, while not perfect, were sufficient to address the vulnerability, he said.
Kaspersky Lab chief executive Eugene Kasperksy said the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks. “The CVE-2014-6271 #bash patch doesn’t cover the full scope of the issue. Consider the current patch frenzy a trial run,” he said on Twitter.
That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges.
It affects systems that operate Linux, Apple’s OS X operating system, and others, and in its worst case scenario, it opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of.
Australia’s Computer Emergency Response Team said the code vulnerability was possibly the result of human error — a programming mistake. AusCERT information security analyst Marco Ostini said that since its discovery, hackers had been active in exchanging code in chat rooms and on Twitter. “It’s the sort of thing people could do without understanding the technicalities involved,” he said.
Mr Ostini said that because the flaw was part of the building blocks of the internet, the threat was even bigger than that posed by the Heartbleed security hole exposed in April. US company Red Hat, which specialises in providing open-source software to enterprises, logged it on September 14. It was discovered by Stephane Chazelas of internet content delivery giant Akamai. Mr Ostini said that under responsible disclosure practices, the bug’s existence was not reported publicly until today, along with many of the code fixes needed to nullify it.
But to his knowledge Apple has yet to release an update for its OS X operating system which was also affected by the security breach. Apple at this stage is not commenting. It has a policy of investigating security breaches and preparing a patch before making any public comment. Mr Ostini said the bug also could possibly affect iOS — the operating system used with the iPhone and iPad, and also possibly Windows, but this was less likely. “Code vulnerabilities are a dime a dozen, but this particular vulnerability is easy to exploit,” he said. Sources have told The Australian that FreeBSD, Oracle’s Solaris unix system, HP’s implementation of Unix HP-UX, Amazon Web Services, and Android are among others that are also yet to be patched.
Mr Ostini said hackers could exploit the security hole by using CGI (Common Gateway Interface) web script which is used to display web pages. Computer and mobile users which accessed these sites could give hackers the ability not only to control their machines but also to access the networks they are connected to. “The web script could take over the machine and give them access to everything,” he said. He said the bug was similar to a weakness exposed in Unix about 30 years ago.
Mr Ostini said he was not aware of reports of anyone successfully exploiting the vulnerability, but he said there was “lots of chatter” in various parts of the internet about it, along with guides on how to exploit it, including code to cut and paste and try out. Companies such as Red Hat, Ubuntu and Akamai had issued interim patches which, while not perfect, were sufficient to address the vulnerability, he said.
Kaspersky Lab chief executive Eugene Kasperksy said the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks. “The CVE-2014-6271 #bash patch doesn’t cover the full scope of the issue. Consider the current patch frenzy a trial run,” he said on Twitter.