Remember the “Heartbleed” security scare earlier this year? Well, just in time for Halloween, an even bigger nightmare has surfaced – and it threatens the “Internet of Things” from cameras to networks, a security expert warns. Even the Department of Homeland Security has issued a warning.

Consumers and IT professionals have got to be worried about all that’s going wrong in the world of code. Hackings. Disclosures of financial information. Wednesday’s Apple iOS fiasco.

And now comes Bash.

Red Hat disclosed the “Bash bug” on Wednesday. It’s also being called the “Shellshock” bug. And Linux users couldn’t be blamed if they are shellshocked.

Whatever the name, the problem is huge.

“Today’s bash bug is as big a deal as Heartbleed. That’s for many reasons,” warns Robert Graham, a widely quoted security blogger.

“Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.”

So what’s “bash?”

It’s a widely used and versatile utility within the core of the Linux operating system.

As tech news website The Verge explains:

“When accessed properly, the bug allows for an attacker’s code to be executed as soon as the shell is invoked, leaving the door open for a wide variety of attacks. Worse yet, it appears the bug has been present in enterprise Linux software for a long time, so patching every instance may be easier said than done.”

The government is telling people to be wary, too.

“The Department of Homeland Security’s Computer Emergency Readiness Team issued a warning about the vulnerability,” The Associated Press reports but also notes: “Experts are divided over whether the bug could pose a bigger threat than the ‘Heartbleed’ computer security flaw discovered earlier this year.”

The AP says computer security firm Rapid7 acknowledges that the problem “looks pretty awful at first glance” but adds “hackers will not be able to exploit most systems running the affected Bash software.”

“Rapid7 spokeswoman Jen Ellis says a perfect set of circumstances would need to occur for an attack to work,” The AP adds. “The software does not run on Windows computers.”

Warning, Warning …

Red Hat’s Security Blog posted the warning and a detailed explanation about how Linux users should respond.

“Bash specially-crafted environment variables code injection attack,” reads the headline.

Even for non-programmers, “code injection attack” is pretty clear.

Check your networks right now.

Red Hat’s Huzaifa Sidhpurwala explained:

“Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.

“In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

“Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts …”

No Easy Fix

Red Hat offered patches. But this is a long-term, in-depth fix, says security expert Graham. Bash tops Heartbleed as a threat because of its pervasiveness.

“The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion,” he wrote.

“The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.”

Happy computing.