A critical vulnerability in a widely used software tool, one first observed in the online game Minecraft, is rapidly emerging as a major threat to organizations around the world.
"The Internet is on fire right now," said Adam Meyers, senior vice president of intelligence at Crowdstrike's cybersecurity company. "People are struggling to patch it up," he said, "and all kinds of people are trying to take advantage of it." malicious people have developed and distributed tools to exploit it.
"Log4Shell" error is perhaps the worst computer vulnerability discovered in years. It was discovered in an open-source logging tool that is ubiquitous in cloud servers and business software used in industry and government administrations around the world. If not corrected, it allows criminals, spies, and even beginners in programming easy access to internal networks where they can steal valuable data, install malware, delete key information, and more.
"I can hardly imagine a company that is not in danger," said Joe Sullivan, security chief of Cloudflare, whose online infrastructure protects websites from malicious attackers. It has been installed on millions of servers, and experts say that the consequences will not be known for a few more days.
See also: SymDiag - Scan and remove malware
Amit Yoran, CEO of cybersecurity company Tenable, called it "the biggest, most critical vulnerability in the last decade" - and probably the biggest in the history of modern computing.
The vulnerability, called "Log4Shell", was rated 10 on a scale of one to ten by the Apache Software Foundation, which oversees software development. Anyone with exploitation can get full access to a computer that uses patch-free software.
Experts say that the vulnerability with which a vulnerability allows an attacker to access a web server is extreme. What makes it so dangerous is that you don't even need any password.
The New Zealand emergency team was among the first to report that the defect was "actively exploited" just hours after it was made public on Thursday and a patch was released.
Chinese technology giant Alibaba reported the vulnerability to the foundation on November 24, which is in the open-source Apache software used to run websites and other web services, the statement said. It took two weeks to make and release the patch.
But patching systems around the world can be a complicated task. While most organizations and Cloud services, such as Amazon, should be able to easily update their web servers, the same Apache software is also often built into third-party programs, which can often only be updated by their owners.
If you missed: Ransomware prevention best practices
Yoran, from Tenable, said that organizations should assume that they are compromised and react quickly.
The first obvious signs of exploiting the bug appeared in Minecraft, an online game that is very popular among children and is owned by Microsoft. Myers and security expert Marcus Hutchins said that Minecraft users already use it to run programs on other users' computers by inserting a short message in the chatbox.
Microsoft has announced that it has released a software update for Minecraft users. "Customers who apply the update are protected," the company said.
Researchers reported finding evidence that the vulnerability could be exploited on servers run by companies such as Apple, Amazon, Twitter, and Cloudflare.
Sullivan of Cloudflare said there was no indication that his company's servers had been compromised. Apple, Amazon, and Twitter did not immediately respond to requests for comment.