Security experts around the world raced on Friday to patch one of the worst computer vulnerabilities discovered in years — a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software.
“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, Chief Security Officer for Cloudflare, whose online infrastructure protects websites from malicious actors.
Experts say the fallout would not be known for several days.
Full access
New Zealand’s computer emergency response team was among the first to report the vulnerability in a Java-language utility for Apache servers used to log user activity that was being “actively exploited in the wild” hours after it was publicly reported on Thursday and a patch released.
The vulnerability, dubbed Log4Shell, was rated 10 on a scale of one to 10 — the worst possible. Anyone with the exploit can gain full access to an unpatched machine.
Also see: Increase in tech budgets of enterprise clients to add 5-6% growth in IT sector revenues
“The internet is on fire right now. People are scrambling to patch,” said Adam Meyers, Senior Vice President of Intelligence at the cybersecurity firm Crowdstrike.
“In the last 12 hours, the vulnerability has been fully weaponized.”
The vulnerability in the Apache Software Foundation module was discovered on November 24 by Chinese tech giant Alibaba, the foundation said. Meyers expects computer emergency response teams to have a busy weekend trying to identify all impacted machines.
Third-party programs
The hunt is complicated by the fact that affected software can be in programs provided by third parties.
The vulnerability’s exploitation was apparently first discovered in Minecraft, an online game popular with kids and owned by Microsoft.
Meyers and security expert Marcus Hutchins said Minecraft users had already been using it to execute programs on the computers of other users by pasting a short message in a chat box.
Wide-ranging vulnerability
Microsoft said it had issued a software update for Minecraft users and “customers who apply the fix are protected”. Researchers reported finding evidence that the vulnerability could be exploited in servers run by companies including Apple, Amazon, Twitter and Cloudflare.
Also see: More than one-third of cybersecurity technologies used by companies in India outdated: Report
Cloudflare’s Sullivan said there we no indication his company’s servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.