A critical vulnerability in a widely used software tool – one that was increasingly exploited in the online game Minecraft – is rapidly emerging as a major threat to organizations around the world.
“The internet is on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm CrowdStrike. “People are trying to patch up,” he said, “and all kinds of people are trying to take advantage of that.” He said Friday morning that in the 12 hours after the bug’s existence, it was revealed that it was “fully armed,” meaning that malicious parties had developed and distributed tools to exploit it.
The flaw is arguably the worst computer vulnerability discovered in years. It was discovered in a utility that is ubiquitous in cloud server and business software used by industry and government. Unless repaired, it will give criminals, spies and programming novices easy access to internal networks where they can rob valuable data, install malware, erase important information and much more.
“It would be hard to think of a company that isn’t at risk, whose online infrastructure protects websites from malicious actors,” said Joe Sullivan, chief security officer at Cloudflare. Countless millions of servers have it installed, and experts said the effects would go undetected for a few days.
Amit Yoran, CEO of cybersecurity company Tenable, called it “the biggest, most significant vulnerability of the last decade” – and possibly the largest in the history of modern computing.
The vulnerability, dubbed “Log4Shell”, was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees software development. Anyone prone to exploitation can gain full access to an unpatched computer using the software,
Experts say that the extreme ease with which the vulnerability allows an attacker to access a Web server — not requiring a password — is what makes it so dangerous.
New Zealand’s computer emergency response team was among the first to report that the flaw had been “actively exploited in the wild” on Thursday, just hours after it was publicly reported and a patch was released.
The vulnerability, which resides in the open-source Apache software used to run websites and other Web services, was reported to the foundation by Chinese tech giant Alibaba on November 24. It took two weeks to develop and release a fix.
But patching systems around the world can be a complicated task. While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which can often only be updated by their owners.
Tenable’s Yoran said organizations should recognize that they have been compromised and act quickly.
The first clear signs of exploiting the flaw appeared in Minecraft, an online game that’s hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to run programs on other users’ computers by pasting a short message into the chat box.
Microsoft said it has released a software update for Minecraft users. “Customers applying the fix are protected,” it said.
Researchers reported finding evidence that the vulnerability could be exploited on servers operated by companies such as Apple, Amazon, Twitter and Cloudflare.
Cloudflare’s Sullivan said there was no indication that his company’s servers were compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.