BOSTON, Sept 25 (Reuters) – Hackers have launched attacks exploiting the newly identified “Shellshock” computer bug, researchers warned on Thursday, as news surfaced that an initial patch for the issue was incomplete, suggesting even updated systems were vulnerable.
The attacks came as security experts scrambled to determine how many systems and what types of computers are vulnerable to “Shellshock,” which some say may be as serious as the “Heartbleed” vulnerability that surfaced in April.
“Shellshock” is a bug in a piece of software known as “Bash” that runs the command prompt on many Unix computers, including some Linux servers that run websites, and tiny computers inside consumer devices such as routers and web cams.
“We don’t actually know how widespread this is. This is probably one of the most difficult-to-measure bugs that has come along in years,” said Dan Kaminsky, a well-known expert on Internet threats.
For an attack to be successful, a targeted system must be accessible via the Internet and also running a second vulnerable set of code besides Bash, computer experts said.
“There is a lot of speculation out there as to what is vulnerable, but we just don’t have the answers,” said Marc Maiffret, chief technology officer of cybersecurity firm BeyondTrust. “This is going to unfold over the coming weeks and months.”