First reported late yesterday, researchers are calling a revealed flaw in Linux, UNIX, and Mac OS X as potentially bigger than the Heartbleed vulnerability reported in April of this year. The Heartbleed bug allowed hackers access to retrieve and review stored data, but the newly uncovered bug allow miscreants to take full control over the entire system.
Patches are already rolling out for major Linux distributions, including Red Hat, and administrators of these systems are urged to patch immediately.
The flaw allows a remote attacker to attach a malicious executable that is then executed when the open source Bourne Again Shell (Bash - a very common UNIX command shell) is enacted. And, it's not just a single version of Bash that is vulnerable, it's every version in use today. The flaw, just discovered, is being reported as existing for almost 25 years, which means that it has been incorporated in both computers and devices.
In CVE-2014-6271, Red Hat is providing diagnostic steps to test to see if your version of Bash is vulnerable.
So, if this critical issue exists in Bash, does it exist in other Linux/UNIX shells? Testing for various other command shells is underway, but so far the problem exists only in Bash.
US-CERT is also now involved, providing warnings and updates for the vulnerability. In addition to Red Hat, US-CERT is also reporting that updates are available for CentOS, Debian, and Ubuntu and a GNU Bash patch is available.
Troy Hunt does an amazing job digging through the specifics of this vulnerability here: Everything you need to know about the Shellshock Bash bug