A software vulnerability exploited in the online game Minecraft is quickly becoming a major threat to Internet connected devices around the world.
“The internet is on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike. “People scramble for patches, and there are script kiddies and all kinds of people trying to take advantage of it.”
He said Friday morning that in the 12 hours since the bug was posted, the bug was “fully weapons grade,” meaning malefactors developed and distributed tools to exploit it.
The bug could be the worst computer vulnerability discovered in years. It opens a loophole in software code that is ubiquitous in cloud servers and enterprise software used in industry and government. It could allow criminals or spies to loot valuable data, install malware or delete important information, and much more.
“I have a hard time imagining a company that isn’t at risk,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors. Countless millions of servers have it installed, and experts said the fallout wouldn’t be known for several days.
Amit Yoran, CEO of cybersecurity company Tenable, called it “the biggest and most critical vulnerability of the last decade” – and possibly the biggest in the history of modern computers.
The vulnerability called “Log4Shell” was rated 10 on a scale of one to 10 by the Apache Software Foundation. Anyone with the exploit can Get full access to an unpatched computer who uses the software.
The New Zealand computer emergency team was one of the first to report the error “Actively exploited in the wild” just hours after it was publicly reported and a patch released on Thursday.
The vulnerability, which resides in the open source Apache software used to run websites and other web services, was discovered by Chinese technology giant Alibaba on November 24th. said the foundation.
Finding and patching the software can be a complicated task. While most organizations and cloud providers should be able to easily update their web servers, often the same Apache software is also embedded in third-party programs that often can only be updated by their owners.
Tenable’s Yoran said businesses need to assume they’ve been compromised and act quickly.
The exploitation of the bug was apparently first discovered in “Minecraft”, an online game that is very popular with children and is owned by Microsoft.
Meyers and security expert Marcus Hutchins said Minecraft users have already used it to run programs on other users’ computers by pasting a short message in a chat box.
Microsoft claims to have released a software update for “Minecraft” users. “Customers who apply the fix are protected,” it said.
The researchers reported that they found evidence that the vulnerability could be exploited in servers owned by companies such as Apple, Amazon, Twitter, and Cloudflare.
Cloudflare’s Sullivan said there was no evidence of his company’s servers being compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.