It was discovered Sep. 12 by Unix specialist Stéphane Chazelas and revealed on Wednesday.
According to Ars Technica, the bug is already being used to exploit Web servers. The initial fix for the bug was incomplete. Hours after news of the bug went public, security researchers detected evidence of hackers trying to exploit it.
The flaw affects a commonly used, free software system called Bash that has been around since 1989. According to the New York Times, it is built into 70 percent of machines that connect to the Internet.
Software-savvy people call it a “command shell.” It interprets instructions from users and programs so the computer knows what to do.
According to reports, it could affect your computer even if you’ve never heard of it. Bash is used in most Linux or Unix-based operating systems, including Apple’s Mac OS X, according to an alert from the Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT).
The National Institute of Standards and Technology rated Shellshock a 10 on a 10-point severity scale. Heartbleed was rated five. Both flaws were rated low in terms of complexity, which means they can be easily exploited.
Discovered last spring, Heartbleed was a flaw in security technology used by thousands of Web sites that exposed passwords and other personal data to hackers for two years before it was discovered.
Shellshock has existed for 22 years, the Times noted. It doesn’t just expose your password — hackers can exploit the flaw to hijack your computer. Heartbleed only affected servers, while Shellshock affects many Internet-connected devices.
However, Shellshock could be harder to exploit, Christopher Budd, global threat communications manager at security firm Trend Micro, told the Associated Press. Not all machines running Bash can be exploited. It’s not enough for Bash to be installed on your system; you have to be using it for a hacker to exploit the bug.
An Apple spokesman told the Web site iMore OS X systems are safe unless the user configured advanced UNIX services, something only advanced users would know how to do. If your Mac is vulnerable, you only have to worry if you are on a public WiFi network, according to the Times.
According to cybersecurity reporter Brian Krebs, the flaw does not affect Microsoft Windows. But the Times said it can affect Android phones.
The flaw affects embedded devices and systems. That includes things like digital watches, MP3 players and traffic lights. “In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched,” Joe Hancock, a cybersecurity expert with insurer AEGIS in London said in a statement reported by Reuters.
The bug could be exploited to take control of a Web server and steal passwords, Joe Siegrist, CEO of LastPass, a service that stores and protects passwords, told the AP. Though he said the threat of that happening is lower than with Heartbleed.
Shellshock is particularly dangerous because its “wormable,” a term that refers to self-replicating attacks that spread across devices and systems like a viral pandemic.
Power plants and water systems are less threatened if they have followed the advice of security experts and remain disconnected from the internet to avoid such risks, the AP reported.
“Who is at risk” is an open question, however. “Bash is embedded and accessed in so many ways that we cannot fully understand its depth of use,” wrote Securosis analyst and CEO Rich Mogull. “We cannot possibly understand all the ways an attacker could interact with Bash to exploit this vulnerability.”
There’s reportedly not much you can do about it, except check for software updates on the Web sites of companies that make your computer, router and other Internet-connected equipment. An open-source software company called Red Hat released a partial patch for Linux. Apple is currently working on a fix.
Google is also working on a fix, Reuters reported.
Five years after Bash was created by a programmer named Brian J. Fox, another programmer named Chet Ramey took over the job of maintaining the software in his free time, when he wasn’t working at his day job as a senior technology architect at Case Western Reserve University in Ohio, the Times reported.
Ramey told the Times he thinks he introduced the bug in a new Bash feature in 1992. After Chazelas, the security researcher that discovered it, contacted him on Sept. 12, they collaborated with other people who work with open-source security to create a patch within a few hours. They discreetly tipped off the major software makers so they could address the problem before hackers found out and exploited the bug.