Remember the Heartbleed bug that made the Internet a sitting duck for hackers? We're now experiencing another security breach that's as bad or worse, reports CNET. One weird aspect, at least to laymen: The flaw has been around for 22 years but went unnoticed until this week. Known as "Shellshock," the bug affects a piece of software called Bash that's built into 70% of machines connected to the Web, the New York Times reports. That includes Macs and PCs with Linux and Unix operating systems. An Apple statement to CNET says the "vast majority" of users of its OS X operating system were not at risk. Ars Technica, meanwhile, explains how to determine if a Linux or Unix system is vulnerable. In theory, hackers could exploit a weakness in Bash that would allow them to take over an operating system and grab personal data, rather than just steal passwords.
The National Institute of Standards and Technology gives it a 10 out of 10 for severity, and though the makers of Linux released a patch with news of the bug Wednesday, it now says the patch can be circumvented, Wired reports. "The number of systems needing to be patched, but which won't be, is much larger than Heartbleed," security expert Robert Graham writes at Errata Security. The bug is already being exploited, writes Wired's Andy Greenberg: "The shellshock attacks are being used to infect thousands of machines with malware designed to make them part of a botnet of computers that obey hackers' commands." And it's likely to get much worse: Soon, hackers will transform the bug into a worm "to scan for more bash bug servers and install itself," says another expert. "That's definitely going to happen."