The Shellshock flaw could be used to mount devastating targeted attacks on numerous industries, including critical infrastructure, and underlines an ongoing security issues within the development community, according to security experts.
Discovered on 25 September the Shellshock bug exists in the Bash code used in numerous Unix based or Unix-like systems operating systems including Linux and Mac OS X.
Ian Pratt, co-founder of Bromium, said the common use of Bash makes Shellshock one of the most dangerous vulnerabilities ever discovered and leaves web and computer users across the world vulnerable to attacks.
"The 'Shellshock' Bash vulnerability is a big deal. It's going to impact large numbers of internet-facing Linux/Unix/OS X systems as bash has been around for many years and is frequently used as the 'glue' to connect software components used in building applications," he said.
"Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise."
Lancope director of security research Tom Cross was equally concerned and highlighted Shellshock's potential to be used for attacks on critical infrastructure.
"Researchers are still discovering things that can be done with it. Shellshock is particularly concerning in the context of Industrial Control Systems and SCADA, where there may be many vulnerable devices that are difficult to upgrade," he said.
"Earlier this year, a sophisticated waterhole attack targeted a users of a variety of industrial control systems and industrial cameras. Those attackers now have an entirely new attack vector to explore."
FireEye director of threat research Darien Kindlund mirrored Pratt and Cross' concerns, but said he is more concerned about how Shellshock could be used to exploit servers running Bash, warning that the possibilities it offers hackers make it even more dangerous than Heartbleed.
"This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic. Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting webpages," he said.
"Specifically, this issue affects web servers using GNU Bash to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet."
Heartbleed was a major SSL bug discovered in April, which was known to be leaving millions of web servers across the world open to attack.
Kindlund told V3 while FireEye is yet to see any evidence suggesting the flaw is being exploited for advanced targeted attacks, it will only be a matter of time.
"We have not seen this vulnerability used in targeted attacks yet. There is a high probability that sophisticated threat groups will use this vulnerability soon," he said.
Trustworthy Software Initiative director Tony Dyhouse highlighted the vast damage shellshock can do as proof developers must rework their coding practices to consider security, warning more critical flaws will inevitably appear if they do not.
"This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK. Ultimately, this is a lifecycle problem. It's here because people are making mistake whilst writing code and making further mistakes when patching the original problems," he said.
"Patching software continues to be a relevant short-term fix but it cannot be considered a long-term security strategy and we need to decrease the need for it in the future and treat the root cause."
Dyhouse is one of many security professionals to call on software and technology developers to consider security from the start. Raj Samani, CTO of McAfee warned security firms to begin adopting ubiquitous security models or risk disaster, during an interview with V3 about the internet of things in September.
Microsoft announced plans to reshuffle its Trustworthy Computing (TwC) security division's engineers to work more directly with its development teams on 19 September.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance