TECH
09/26/2014 02:53 pm ET

Apple Joins Rush To Fix Shellshock Bug Infecting The Internet

Peter Macdiarmid via Getty Images

Apple said Friday that it was fixing a security flaw in some versions of its operating system for Mac computers, joining other tech companies that are rushing to patch the so-called Shellshock bug affecting more than two-thirds of machines connected to the Internet.

In a statement to The Huffington Post, an Apple spokesperson said the "vast majority" of people using OS X are not at risk, but some people who use advanced versions may be affected by the bug and "we are working to quickly provide a software update."

Google said it has fixed its code to avoid the bug, while Amazon told customers of its cloud service how to avoid the bug, according to The Wall Street Journal.

On Wednesday, security experts said they had found a security hole in widely used software called Bash, which stands for Bourne-Again Shell. Bash is used in more than 70 percent of web servers, routers, computers and other machines connected to the Web.

The security flaw, nicknamed Shellshock, has drawn comparisons to the recent Heartbleed bug because they both involve errors buried inside computer code used by numerous websites and tech products. Hackers can exploit flaws in computer code to install malicious software and steal passwords and other sensitive information.

Heartbleed, which was found in April, allowed hackers to steal passwords, credit card data and Social Security numbers from two-thirds of websites using the flawed OpenSSL software. Its discovery drove many tech companies to recommend that their users change their passwords, although only about 40 percent of users did so.

Security experts said the Shellshock bug could be more serious because it potentially allows a hacker to steal more than passwords or other data from a web server. If hackers can exploit the Shellshock flaw to infect a web server, they can also infect an entire website with malware and take over the computers of those who visit that site, according to David Jacoby, a senior security researcher at Kaspersky Lab.

It remains unclear what websites, if any, have been infected so far, though security researchers said they are seeing attempts by criminals to take advantage of the flaw.

So what can you do to protect yourself? Not a whole lot.

While Internet users could change their passwords to protect themselves from the Heartbleed bug, there is little they can do to avoid the Shellshock bug other than to wait until companies patch the flaw.

Internet users can, however, make sure that they have antivirus software on their computers and that their computers have been updated with the latest security patches, Jacoby said. If an infected website is spreading malware, it will try to embed itself in visitors' computers through a flaw in an unpatched program.

Satnam Narang, a security response manager at Symantec, urged people not to panic.

"If a website gets breached, then consumers should be worried," he said. But that hasn’t happened yet, he said.

CONVERSATIONS