Hackers have started using the Bash bug on vulnerable systems.
One security expert said it could be ‘game over’ for large networks.
It includes Linux used in many devices such as cars and cameras.
It can also affect Android, Windows, IBM and Apple Mac OS X machines.
Bug, also called ‘Shellshock’, may let hackers take control of devices.
Some patches have already been released, but are still ‘incomplete’.
HOW WILL YOU BE AFFECTED?
The bug makes all Apple Mac computers, around half of all websites and most internet connected home appliances vulnerable.
The danger is that it can run in the background, without a user ever knowing. And once it does, a hacker will be able to take control of your device.
For instance, the bug could be used to read or send emails, copy banking data, turn on a webcam or listen in on a computer’s microphone.
Essentially, this means if your computer will do something without asking for a password, then someone using the bug can also do the same.
Anyone using these devices will need to include a ‘patch’ update to the software as soon as it is released. As well as computers, the public is being warned they may need to update their internet-connected devices, such as smart locks, separately.
Bash stands for Bourne Again Shell. It is what’s called a command-line shell that lets users control software programs and features.
Commands are sent to these programs by typing text into a particular area of code.
This area is typically restricted to programmers and website owners, but the Bash bug leaves it open to attack from anyone.
For example, Mac OS X users can run it by from their Terminal, as can people running devices on the Linux operating system.
Windows is not affected in the same way, but if a hacker exploits malicious code through the flaw, they could gain access to any device, in theory, including PCs.
The bug is said to have existed for 25 years, and was discovered by Linux expert Stéphane Chazelas.
As an example, the Apache web server runs Bash in the background to carry out tasks, including processing personal data entered into online form.
A hacker who exploits Bash could send a request for the information, and then add malicious code to the server to send the user to other sites, or to install a virus on their computer.
Once the hacker has access, they could launch an attack on every visitor that users the site - and users could be none the wiser.
According to experts, there haven’t been any reports of real-word attacks, but that doesn’t mean they won’t ever be affected, nor does it mean they haven’t happened in the past, without being detected.
Reports are suggesting Apple has patched the flaw that explicitly affects the terminal on its Mac software, but the firm has not officially confirmed this.
The responsibility to fix the flaw lies with the website owners, meaning everyday users can’t do anything to protect themselves.
Website owners, especially running on Linux-based servers, are being told to check and patch their systems immediately.