A typical Bash screen

Shellshock, a newly discovered security flaw in a type of software widely used in UNIX, Linux and Mac OS X systems, is considered even worse than last April's “Heartbleed” security flaw, and Heartbleed was bad enough and far-reaching enough to threaten any [supposedly secure] website using OpenSSL encryption.

The list of potentially infected sites from Heartbleed included Yahoo and the FBI, and it's only a slight exaggeration to say, “As a result of Heartbleed, dang-near everybody on the Internet had to change dang-near every password they had.”

Shellshock, also called simply “the BASH bug,” is even worse. After all: “change your passwords” is something you can actually do, an active step you take to protect yourself. So far, though, it appears there's no equivalent step ordinary, everyday Internet users can take to protect themselves from Shellshock; identifying and fixing the problem is in the hands of webmasters and systems administrators.

Even worse: Heartbleed would only allow hackers to see what you were doing on or with your computer; they couldn't actually control it. Hackers exploiting the BASH bug might be able to.

BASH is an acronym for Bourne Again Shell, an open-source software system found in UNIX-type systems. Like all shells, it basically translates commands (from a server or website) into something which your computer or device can read.

The newly discovered security bug basically lets hackers take over the shell and slip in malicious bits of code.

In home-security (rather than computer-security) terms, Heartbleed was like a situation where the front door to everybody's house suddenly unlocked all at once, so everybody had to lock their doors (change their passwords) before any burglars walked in through those unlocked doors to steal things. But the BASH bug is more like a new device a burglar can use to break into a locked door.

The security flaw is bad enough that the U.S. Computer Emergency Response Team issued a security alert to “experienced users and administrators” – another subtle reminder that, while everyday Intenet users are at risk from Shellshock, there's little if anything they personally can do about it.

Share your Comments