The Ghost bug on Linux has been dismissed as not "another Heartbleed" by the security vendor Rapid7, referring to an SSL bug that forced many of the web’s biggest companies to patch their systems and reset their customers passwords last year.
Researchers at cybersecurity firm Qualys identified Ghost in an advisory published this week, which remained unpatched on many systems due to it not being labelled as a security problem, despite being fixed as early as 2013.
If present the bug allows hackers to trigger a buffer overflow, which allows adjacent memory on a system to be rewritten, potentially leaving the system entirely open to exploitation.
So far researchers have identified one exploitable case on the Exim mail server, which can be abused via Ghost to execute commands.
HD Moore, chief security researcher at Rapid7, said: "To be clear, this is not the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit."
"Linux-based appliances from a variety of vendors are going to be impacted, though as with most library-level vulnerabilities, the attack surface is still largely unknown."
Despite this he added that the bug could still be "nasty" and that his firm recommended companies immediately patch and reboot their servers, while companies using Linux appliances are advised to contact their service providers.
Linux vendors Red Hat and Ubuntu have already patched their systems in response to Ghost, whilst others are in the process of repairing the problem.
