A critical security vulnerability in a broadly utilized software tool — one rapidly abused in the online game Minecraft — is quickly emerging as a major threat to organizations around the world.
Adam Meyers, Senior Vice President of Intelligence at the cybersecurity firm Crowdstrike, said “The internet’s on fire right now,”
“People are scrambling to patch and all kinds of people scrambling to exploit it.”
He said on Friday morning within the 12 hours since the bug’s existence was revealed it had been “fully weaponised,” which means that cyber-criminals had created and distributed malicious tools to abuse it.
This security vulnerability may be the most noticeably flaw discovered in years.
It was discovered in an open-source logging tool that’s ubiquitous in cloud servers and enterprise software used in industry and government.
Unless the security vulnerability is fixed, it awards cybercriminals and programming amateurs alike easy access to internal networks where they can steal crucial information, plant malware, delete critical data and much more.
Joe Sullivan, Chief Security Officer for Cloudflare, said “I’d be hard-pressed to think of a company that’s not at risk,” whose online infrastructure protects websites from malicious actors.
Several millions of servers have it installed, and experts stated that the fallout would not be known for several days.
Amit Yoran, CEO of the Cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.
The Vulnerability
The flaw known as ‘Log4Shell,’ was rated 10 on a scale of one to 10, according to the Apache Software Foundation, which oversees development of the software.
Anyone with the exploit can gain full access to an unpatched computer that uses the software.
Cybersecurity experts said the extreme ease with which the security flaw allows a hacker to access a web server without any password makes it so dangerous.
New Zealand’s computer emergency response team was among the first to report that the security vulnerability which was being “actively exploited in the wild” just hours after it was publicly reported on Thursday and a patch released atferwards.
It said that the security flaw, located in open-source Apache software used to run websites and other web services, was reported to the foundation on November 24 by the Chinese tech firm Alibaba.
It took two weeks to develop and release a fix. But it was reported that patching systems around the world could be a complicated task.