US, researchers warn of new computer vulnerability

The US government and computer security researchers warned today of a vulnerability in some computer operating systems which potentially allow widespread attacks by hackers.
A warning from the US Department of Homeland Security's Computer Emergency Readiness Team (CERT) said the flaw affects "Unix-based operating systems" powered by Linux and Apple's Mac OS.
CERT said that if hackers exploit this they could take control of a PC: "Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system."
The agency said a patch was available for the flaw, described by security researchers as "Bash" or "Shellshock."

Some said the flaw was similar to the "Heartbleed" bug which affected millions of computers worldwide earlier this year.
"One serious concern is that malware authors could exploit the vulnerability to create a fast-spreading worm," said independent security consultant Graham Cluley.

"If such a worm materialised it would, without question, make the Bash bug a more serious threat than the Heartbleed OpenSSL bug that impacted many systems earlier this year," Cluley said on his blog.
The difference is that Heartbleed allowed unauthorised parties to spy on computers, "whereas the Shellshock Bash bug allows attackers to hijack computers, and use them for their own purposes," he added.

Johannes Ullrich at the SANS Internet Storm Centre said the patch for the flaw "is incomplete" and that people using affected systems "should try to implement additional measures" which could include beefed up firewalls or software changes.
Eugene Kaspersky, who heads the Kaspersky Lab security group, said in a tweet that the flaw is serious.
The Bash bug "is BAD, expect a lot of exploits and hacked websites to be disclosed in the coming weeks," he wrote.