Stephane Chazelas, who found the vulnerability, has named it CVE-2014-6271, but has been dubbed Shellshock by those who like their viruses to be a little more like a Marvell super-villain.
The flaw is in Bash, which supports exporting shell variables as well as shell functions to other bash instances. It has been a feature of Linux for a long time.
Web applications like cgi-scripts may be vulnerable especially if calling other applications through a shell, or evaluating sections of code through a shell.
The problem is fixed by upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services.
However it could be a while before word gets out that bash is vulnerable and a lot of Linux systems are vulnerable.
Security experts say that this vulnerability is very bad and it will be a race to get systems upgraded before someone has a working exploit.
Tod Beardsley, engineering manager from Rapid7, said it was difficult to write a “bash bug” exploit, but not impossible.
“It’s quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example — routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed,” he said.