It is found in utilities that are widespread in cloud he servers and enterprise software used by industry and government agencies. Unless corrected, criminals, spies, and novice programmers can easily access internal networks to loot valuable data, inject malware, or delete important information. Joe Sullivan, Chief Security Officer at Cloudflare said: It has been installed on countless servers and experts say the impact remains unnoticed for days.
A critical vulnerability in a widely used software tool—one readily exploited in the online game Minecraft—is quickly becoming a major threat to businesses around the world. “The internet is on fire right now,” said Adam Meyers, his president and senior vice president of intelligence at the cybersecurity firm Crowdstrike, which was distributed to take advantage of him. This bug could be the worst computer vulnerability discovered in years.
Highlights
Experts say the vulnerability makes it so easy for an attacker to access her web server without requiring a password, which is why it’s so dangerous. New Zealand’s computer emergency response team first reported that the bug had been “actually actively exploited” just hours after it was made public and a patch was released on Thursday. A vulnerability in the open-source Apache software used to run websites and other web services was reported to the foundation by Chinese tech giant Alibaba on Nov.
Amit Yoran, CEO of cybersecurity firm Tenable, called it “the biggest and most critical vulnerability of the last decade” and possibly the biggest in the history of modern computing. Known as “Log4Shell,” the vulnerability was rated a 10 on a scale of 1 to 10 by the Apache Software Foundation, which oversees the development of the software. An exploit would give anyone complete access to an unpatched computer running the software.
The first obvious sign of bug exploitation appeared in Minecraft, his game online, which is very popular with children and owned by Microsoft. According to Meyers and security expert Marcus Hutchins, Minecraft users are already using Minecraft to run programs on other users’ computers by pasting short messages into his chat box.
It took him two weeks to develop and release the fix. However, patching systems around the world can be a complex task. Most organizations and cloud providers like Amazon should be able to easily update their own web servers, but the same Apache software is often embedded in third-party programs and is often the owner’s can only be updated. Tenable’s Yoran said organizations should assume they’ve been compromised and act quickly.