A flaw, dubbed Log4Shell, in a widely used software tool is rapidly emerging as a “major threat” to organizations across the world. Experts have described this as the worst computer vulnerability discovered in years. It was discovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across the industry and the government. Experts believe millions of servers have this software tool installed and it wouldn’t be known for several days.
Adam Meyers, senior vice-president of intelligence at the cybersecurity firm Crowdstrike, said the internet’s on fire right now. “People are scrambling to patch and all kinds of people scrambling to exploit it.” Meyers said that on Friday morning, in the 12 hours since the bug’s existence was disclosed, it has been “fully weaponized”. This means malefactors had developed and distributed tools to exploit it.
Joe Sullivan, chief security officer for Cloudflare, said he had hard-pressed to think of a company that’s not at risk. Amit Yoran, CEO of the cybersecurity firm Tenable, described it as the single biggest, most critical vulnerability of the last decade, and possibly the biggest in the history of modern computing.
Located in open-source Apache software used to run websites and other web services, the flaw was reported to the foundation on 24 November by Chinese tech giant Alibaba. Reports highlight that it took two weeks to develop and release a fix. The Apache Software Foundation rated the vulnerability 10 on a scale of one to 10. Anyone with the exploit can obtain full access to an unpatched computer that uses the software.
The first signs of the flaws exploitation appeared in Minecraft, an online game popular with kids and owned by Microsoft. Minecraft users were already using this to execute programs on the computers of other users by pasting a short message in a chat box. However, Microsoft said it had issued a software update for Minecraft users. “Customers who apply the fix are protected,” it said.
Experts say patching systems around the world could be a complicated task. While most organizations and cloud providers such as Amazon Web Services should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which can only be updated by their owners.