Security experts are sounding the warning over a newly discovered security vulnerability in Unix, Linux and OS X that could put hundreds of millions of websites at risk. The NIST has given the flaw a 10 out of 10 rating for its severity, and developers are rushing to create and deploy patches to address the bug. Fireeye director of Threat Research Darien Kindlund warned, "This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic. Conservatively, the impact is anywhere from 20 to 50 [percent] of global servers supporting web pages."
Professor Alan Woodward from the University of Surrey added, "What many do not realize is that over 50 percent of active web sites run on a web server called Apache which runs on Unix, and hence is potentially vulnerable. As we have just passed the point where there are one billion active websites, that means that something in excess of 500 million sites could be vulnerable to this security flaw."
The bug is in the Bash command prompt software used by many *nix systems, and it has been present for 22 years without being detected. Debian Linux and related distributions, including Ubuntu, usually use Dash instead of Bash, and are less vulnerable to the problem as a result. Still, everyone with a server or PC running Linux, Unix or OS X is advised to apply a patch as soon as one becomes available for their systems.