Security experts around the world are trying to fix one of the worst computer vulnerabilities discovered in years, a critical flaw in open source code that is widespread in industry and government in cloud services and enterprise software.
“I have a hard time imagining a company that isn’t at risk,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors. Countless millions of servers have it installed, and experts said the fallout wouldn’t be known for several days.
The New Zealand computer emergency team was one of the first to report that the bug in a Java utility for Apache servers, used to log user activity, was “active in the free” just hours after Thursday’s public announcement and patch Wildlife “exploited was released.
The vulnerability with the name “Log4Shell” was rated on a scale from one to 10 with 10, the worst possible. Anyone with the exploit can have full access to an unpatched machine.
“The internet is on fire right now. People are scrambling for patches and there are script kiddies and all kinds of people trying to take advantage of it, ”said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike.
“It has been fully armed in the past 12 hours.”
The vulnerability in the module of the Apache Software Foundation was discovered on November 24th by the Chinese technology giant Alibaba, the foundation announced.
Meyers expected computer emergency teams to have a busy weekend identifying all of the affected machines. The hunt is made more difficult by the fact that affected software can be contained in third-party programs.
Exploitation of the bug was apparently first discovered in Minecraft, an online game very popular with children and owned by Microsoft.
Meyers and security expert Marcus Hutchins said Minecraft users had already used it to run programs on other users’ computers by pasting a short message in a chat box.
Microsoft said it released a software update for Minecraft users and “customers who apply the fix will be protected.”
The researchers reported that they found evidence that the vulnerability could be exploited in servers owned by companies such as Apple, Amazon, Twitter, and Cloudflare.
Cloudflare’s Sullivan said there was no evidence of his company’s servers being compromised.
Apple, Amazon and Twitter did not immediately respond to requests for comment.
Australian Associated Press