So, is it time to panic? Here are some common questions and answers about the latest security scare.
Q. What is the Bash Bug, and why is it a big deal?
A. The bug, also known as "Shellshock," is in a commonly used piece of system software called Bash. Bash has been around since 1989 and is used on a variety of Unix-based systems, including Linux and Mac OS X.
Devices that use Unix in some form include many servers, routers, Android phones, Mac computers, medical devices and even the computers that create bitcoins. Systems running power plants and municipal water systems could also be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet so they are not open to such risks.
Bash is a command shell — "the thing you use to tell your computer what you want it to do," explains Christopher Budd, global threat communications manager at security firm Trend Micro. Thus, exploiting a security hole in Bash means telling your computer, or other systems, what to do.
Q. Why are people saying it's worse than "Heartbleed," the flaw that exploited security technology used by hundreds of thousands of websites?
A. While Heartbleed exposed passwords and other sensitive data to hackers, Bash Bug lets outsiders take control of the affected device to install programs or run commands. Bash Bug is rated 10 on a 10-point scale for its impact and ease of exploitability by the Common Vulnerability Scoring System, an industry standard for assessing how bad security flaws are. Heartbleed is rated 5.
On the other hand, a perfect set of conditions need to be present for the bug to be open to exploitation, which could limit its effect.
Heartbleed affected any system running OpenSSL, a common Web encryption technology. With the Bash Bug, your system actually has to be using Bash, Budd said. There are multiple types of command shells, so even if Bash is installed, the system could actually be using a different one.
Q. It's been a quarter century since Bash came out, so why is the bug a threat now?
A. That's because someone — Stephane Chazelas of Akamai Technologies Inc. to be specific — just found it.
"That's the thing with security bugs," Budd said. "It takes a person actually looking at that code, and seeing it, and saying 'that's not right'" to find problems.
Heartbleed was around for more than two years before it was discovered.
Q. What can you do about it?
Everyday users can't do much right now, except to wait for manufacturers to release fixes for the particular product. Companies are already releasing patches that correct the flaw, so Budd recommends applying the patches for routers, Macs and other devices as they come out.
But that can be easier said than done. Budd said it will depend on who made the equipment and whether you get a fix at all. Even if a fix is developed, getting it could be another matter. Budd expects that to be an issue with Android phones, because their manufacturers and carriers are often slow to push out the system updates that Google provides.
Of course, it always helps to run up-to-date security software on your devices.
Michael Liedtke reported from San Francisco.