"This is likely the largest ever attack vector surface for any bug, ever," Australian security consultant Nik Cubrilovic said. "Bash just happens to be one of the small number of applications that is integrated absolutely everywhere: from web servers, mail servers and remote administration servers through to Android phones, embedded devices and appliances." An attack vector surface is the sum of the different points - the "attack vectors" - where a hacker can try to extract data using a vulnerability from an environment. Speaking from the US, Robert Graham, a security consultant at Errata Security who has been monitoring the bug, told Fairfax Media its potential impact was worse than that of Heartbleed. Mr Graham said there was not much consumers could do but ensure their home routers' firewalls were correctly configured to stop hackers from exploiting vulnerable devices on their networks.

He urged system administrators of servers that host websites to update their security as soon as possible to ensure data was not stolen by hackers whom he expected are actively exploiting the new-found bug. "This bug is horrible," Darien Kindlund, director of Threat Research at security firm FireEye, said. "It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic. Conservatively, the impact is anywhere from 20 to 50 per cent of global servers supporting web pages." Mr Cubrilovic said the bug was taking up his entire day, with clients needing fixes. "It has me in incident response mode with a number of the companies I work with," he said.

"[It] took some explaining as to why patching Bash on all servers is so urgent - since most people associate bugs in Bash with local exploits, and don't immediately see the remote exploit vector." As the bug allowed remote command execution, it was "the worst class of bug", Mr Cubrilovic said. He urged administrators to patch their servers and devices immediately. Administrators should also monitor their web servers and system logs for any strange requests. Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned the bug was rated a "10" for severity, meaning it has maximum impact, and rated "low" for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, etc," Mr Beardsley said. Ty Miller, managing director of Sydney-based Threat Intelligence, said initial research indicated that the vulnerability was highly likely to be widespread and had the potential to be more damaging than Heartbleed. He said it allowed affected operating systems to become totally compromised, "providing the attacker with a foothold on the internal network of the victim". "If the victim is an organisation, then attackers are able to escalate their privileges and take over the organisation's systems within a day and lead to large-scale data theft," Mr Miller said. The US Department of Homeland Security's United States Computer Emergency Readiness Team, or US-CERT, issued an alert about the bug.

It said Apple's desktop and laptop operating system was vulnerable, as well as many other Linux-based systems. The Australian government's CERT Australia, which helps protect critical infrastructure in Australia as well as businesses, also issued an alert late on Thursday evening. The federal government's Stay Smart Online alert service for consumers issued a warning too, which says consumers should ensure software updates are applied to their systems and devices when they become available. "It is likely these will be distributed over coming days as affected products are identified and updates released by their manufacturer," it said. US-CERT advised computer users to obtain operating systems updates from software makers. It said that Linux providers including Red Hat had already prepared them, but it did not mention an update for OS X. Apple representatives could not be reached.

Australian security consultant Chris Gatford, of HackLabs, said the bug would result in "another long couple of weeks for system administrators" and provide hackers with another "useful exploit to use for next three years" against those who don't patch it. Mr Miller agreed. "We are likely to find that this vulnerability will be exploitable on a significant portion of the internet and will be for a long time," he said. Mr Graham said many devices would probably remain vulnerable forever as some firms that have made internet-connected devices may have shut down or may not be supporting old devices affected. Heartbleed, discovered in April, is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.