Japanese security solutions provider Trend Micro has detected the first attacks related to the Shellshock bug discovered last week.
Shellshock, which is also known as the "Bash bug," is considered by many security experts to be even more dangerous than Heartbleed, which was discovered earlier this year.
A number of attacks have been carried out in Brazil targeting government institutions. However, to date it seems as though no major damage has been caused, apart from the gathering of data.
"But the forecast is that, considering the speed of cybercrime development, this will change quickly," said Trend Micro in a statement, referring to the fact that it is expected that attacks will become more serious in the near future.
The news comes as Tripwire, a leader of security management solutions, announces coverage for Shellshock, which affects systems running Unix, Linux, BSD, OS X and other derivatives of Unix.
"This vulnerability is more severe than Heartbleed," said Lamar Bailey, director of the vulnerability and exposure research team at Tripwire. "If an attacker is successful, he or she can take complete control of the target system. Unfortunately, this is one of the rare vulnerabilities with the potential to be a wide-scale worm because it is extremely easy to exploit and there are millions of vulnerable targets."
Unix and derivatives of Unix are used in an extremely wide variety of products, including computers, tablets, smartphones, badge sensors, smart home appliances and so on. It is for this reason that Shellshock could be devastating. The bug allows hackers to access and control devices. Not only that, but malware that exploits the bug is able to spread rapidly to other systems.
Tripwire's SecureScan will provide vulnerability scanning for free on up to 100 IP addresses and should discover Shellshock vulnerability on a variety of devices.
"Despite Heartbleed, it is rare for a vulnerability to be both as extensive and severe as the Bash bug," said Tim Erlin, director of IT security and risk strategy for Tripwire. "This vulnerability has been around for a very long time, making the discovery of all the vulnerable systems on an enterprise network very challenging. Bash itself isn't directly surfaced on the network, so you need to check potentially vulnerable systems, including many devices that are difficult or impossible to patch."
Software makers such as Oracle and Apple are reportedly also preparing patches for the bug. Despite this, most Apple users need not worry too much because of the fact that Apple's computers are shipped "safe by default." If, however, a user configures a computer for "advanced" Unix use, they will need a patch, which should be provided by Apple.