A security flaw called Shellshock in software on Unix-based operating systems is worse than ‘Heartbleed’, the exploit that affected nearly every computer last year.
The bug could take years to fix, and there’s nothing users can do to protect themselves.
Unlike Heartbleed, which let hackers spy on computers, Shellshock gives them access to control targeted systems.
The vulnerable software is called Bash, which is used by Apple Mac computers.
It’s used to control the command prompt on many Unix-based operating systems.
Cyber security firm Rapid7 and US government-backed National Vulnerability Database have rated Shellshock 10 out of 10 in severity for its maximum impact.
However they rated it low for the complexity of exploitation because hackers only need three lines of code to break into the system.
Hackers could theoretically set specific environment variables on Bash, which would let them take control of victims’ computers.
Even worse, they could potentially use Shellshock to create worms, or attacks that would automatically replicate across machines.
“In theory, this could take the form of an infected machine scanning for other targets and propagating the attack to them,” security expert Troy Hunt told The Guardian.
“This would be by no means limited to public-facing machines either; get this behind the corporate firewall and the sky’s the limit.”
Robert Graham, a security expert and CEO of Errata Security told The Independent it will take a long time for experts to fix all affected systems.
“Years from now we’ll keep finding yet another device that’s still not been patched,” he said.
He claims to have found at least 3,000 systems vulnerable to the bug, but he has only scanned systems on port 80.
He added that a scan for embedded webservers on odd ports would give him “a couple times more results”.
Mr Graham warns that DHCP services could also be infiltrated.
Shellshock is so serious that even the US Department of Homeland Security has released a warning and issued patches to fix servers.
The exploit, which was discovered by Linux expert, Stéphane Chazelas has gone unnoticed for at least 10 years.
Security researcher, Michal Zalewski wrote on his blog: “My take is that it's a very unusual bug in a very obscure feature of a program that researchers don't really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on