It feels like major security vulnerabilities are more common than ever, and there’s a big one freaking out the blogosphere being referred to as “shellshock”. It was discovered by a Red Hat security team in the Bash shell.

Security expert Robert Graham at Errata Security has been blogging about the bug saying that it is “as big as Heartbleed,” and also that it’s twenty years old. He says it’s as big a deal as Heartbleed because it interacts with other software in unexpected ways, and that unknown systems remain unpatched. He writes:

We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.

I’d suggest keeping up with his blog for analysis on the issue, as it appears to be the go-to spot at this point.

Here’s what the Twitterverse is saying:

Here’s an “everything you need to know about it” post from Troy Hunt, which you should probably also check out if this concerns you.