Shellshock Bash Bug Affects Apache web Server Software
Servers running the Apache web server software are among the systems most vulnerable to Shellshock, the Bash Bug which has been around for 25 years.Reuters

As news spread of the severity of the internet security flaw which has become known as Shellshock, Google and Amazon rushed to protect their servers.

Shellshock is a flaw in the code of a 25-year-old piece of software called Bash that also happens to run on Mac OS X, Linux and up to 50% of all web servers.

Google is attempting to fix the bug in both its internal servers and commercial cloud services, WSJ understands.

Meanwhile, Amazon Web Services released a statement that showed customers how best to deal with the problem.

"This bug is horrible," Darien Kindlund, director of threat research at cybersecurity firm FireEye wrote in a company blog post. "Conservatively, the impact is anywhere from 20% to 50% of global servers supporting web pages."

Bigger than Heartbleed

The Bash Bug, as it is also referred to, relates to how "environment variables" are processed. This flaw means that theoretically a hacker could manipulate the environment variables to gain access to and remote control any affected device.

Some are saying this bug is potentially bigger than the Heartbleed flaw detected earlier this year, which prompted widescale panic and cries from some quarters for everyone on the internet to change their passwords or face losing all their data.

The Bash Bug has been around since the software's inception in 1989, but was only identified by a Linux researcher this week.

Websense CEO John McCormack told WSJ: "The real professional organisations – such as nation states – you have to assume they've known about it."

Knowing may often be half the battle, but in this case it's none of it. Unlike Heartbleed, simply changing passwords won't make Shellshock go away.

Now that it has been revealed, however, big tech companies like Google and Amazon will surely develop defences. Mac OS X is also vulnerable Apple admits, but it is working on a fix and says that if users have the default settings enabled, then they are not at risk.

There has yet to be a recorded Bash Bug attack, although the US Department of Homeland Security has graded it a 10 out of 10 on cyber threat scale.