Companies Rush to Fix Shellshock Software Bug as Hackers Launch Thousands of Attacks

A day after the Department of Homeland Security advised Internet users and corporations about a newly discovered software bug that could affect hundreds of millions of systems, hackers had already begun exploiting the bug and companies were rushing to fix the issue for their users.

The bug, called Shellshock, affects a widely used piece of software, called Bash, which is a sort of interpreter software that is used in an array of software, including Mac’s OS X operating system. The bug could be used by hackers to take control of a machine or run programs surreptitiously in the background.

In a statement, Apple said that most of its OS X users were not at risk from the Shellshock bug because Apple’s default settings protect users from remote exploits, like the kind cybercriminals would need to use to infiltrate a personal desktop or laptop computer. The company noted, however, that if users had reconfigured their advanced Unix services (underlying code in OS X) they might face issues.

“We are working to quickly provide a software update for our advanced Unix users,” the company said in its statement.

Early Friday afternoon, the patch was not yet available.

Initially, security experts also expressed alarm that all smartphones on Google’s Android operating system would be affected. Google said on Friday, however, that Android used an alternative to Bash, called Mksh, which did not contain the vulnerability. But security experts noted that because Android is an open-source software, many corporations and users tweak it and incorporate it into other products, which could use Bash. The message is that Android users should still check to see if they are vulnerable.

Trend Micro, the security firm, said it was moving quickly to release license-free tools to scan and protect vulnerable servers, as well as web users, across Mac OS X and Linux platforms.

An official alert from the National Institute of Standards and Technology warned that the vulnerability was a 10 out of 10, in terms of its severity, impact and ability to be exploited, but low in terms of its complexity, meaning that it could be easily used by hackers.

Security researchers say that as soon as the bug was reported they detected widespread Internet scanning by so-called white hat hackers — most likely security researchers — as well as people thought to be cybercriminals. The worry is that it is only a matter of time before somebody writes a program that will use Shellshock to take over machines.

On Friday, researchers at Incapsula, the security firm, said that just in the previous 24-hour period, they had witnessed 17,400 attacks, at an average rate of 725 attacks per hour. The researchers said that more than 1,800 web domains had been attacked and that the attacks originated from 400 unique I.P. addresses– more than 55 percent of those in China and the United States.

The Department of Homeland Security’s Computer Emergency Readiness Team, US-CERT, advised users and technology administrators to refer to their Linux or Unix-based operating systems suppliers for an appropriate patch.

For users at home, security experts advised them to stay on top of software updates and check manufacturer websites, particularly for hardware like routers.