A day after the Department of Homeland Security advised Internet users and corporations about a newly discovered software bug that could affect hundreds of millions of systems, hackers had begun exploiting the bug and companies were rushing to fix the issue for their users.
The bug, called Shellshock, affects a widely used piece of software, called BASH, which is a sort of interpreter software that is used in an array of software, including Mac’s OS X operating system. The bug could be used by hackers to take control of a machine or run programs surreptitiously in the background.
In a statement, Apple said that most of its OS X users were not at risk from the Shellshock bug because Apple’s default settings protect users from remote exploits, like the kind cybercriminals would need to use to infiltrate a personal desktop or laptop computer. The company noted, however, that if users had reconfigured their advanced Unix services (underlying code in OS X) they might face issues.
"We are working to quickly provide a software update for our advanced Unix users," the company said in its statement.
Early Friday afternoon, the patch was not yet available.
Initially, security experts also expressed alarm that all smartphones on Google’s Android operating system would be affected. Google said Friday, however, that Android used an alternative to BASH that did not contain the vulnerability. But security experts noted that because Android is an open-source software, many corporations and users tweak it and incorporate it into other products, which could use BASH. The message is that Android users should still check to see if they are vulnerable.
Trend Micro, the security firm, said it was moving quickly to release license-free tools to scan and protect vulnerable servers, as well as Web users, across Mac OS X and Linux platforms.
An official alert from the National Institute of Standards and Technology warned that the vulnerability was a 10 out of 10 in terms of its severity, impact and ability to be exploited, but low in terms of its complexity, meaning that it could be easily used by hackers.
Security researchers say that as soon as the bug was reported they detected widespread Internet scanning by "white hat" hackers — most likely security researchers — as well as people thought to be cybercriminals. The worry is that it is only a matter of time before somebody writes a program that will use Shellshock to take over machines.