In this photo illustration, a Minecraft logo appears on the screen of a smartphone.
Pavlo Gonchar | SOPA Pictures | LightRocket | Getty Images
A critical vulnerability in a widely used software tool – one quickly exploited in the online game Minecraft – is quickly emerging as a major threat to organizations around the world.
“The internet is on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike. “People are jostling to patch,” he said, “and all kinds of people are jostling to exploit it.” He said on Friday morning that in the 12 hours since the bug’s existence was revealed, it has been “fully militarized,” meaning criminals have developed and distributed tools for it. to exploit.
The flaw may be the worst IT vulnerability discovered in years. It was discovered in a ubiquitous utility in cloud servers and enterprise software used in industry and government. Unless it is fixed, it gives criminals, spies and programming novices easy access to internal networks where they can loot valuable data, implant malware, erase crucial information and much more.
“I would be hard pressed to think of a company that is completely risk free,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors. Millions of servers installed it, and experts said the fallout would not be known for several days.
Amit Yoran, CEO of cybersecurity firm Tenable, called it “the biggest and most critical vulnerability of the past decade” – and perhaps the biggest in modern computing history.
The vulnerability, nicknamed “Log4Shell”, was rated 10 on a scale of 1 to 10 by the Apache Software Foundation, which oversees the development of the software. Anyone with the exploit can gain full access to an unpatched computer that is running the software,
Experts have said that the extreme ease with which the vulnerability allows an attacker to access a web server – no password required – is what makes it so dangerous.
The New Zealand Computer Emergency Response Team was among the first to report that the vulnerability was “actively exploited in the wild” just hours after it was released on Thursday and a patch was released.
The vulnerability, located in the open source software Apache used to run websites and other web services, was reported to the foundation on November 24 by Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.
But fixing systems around the world could be a complicated task. While most organizations and cloud providers like Amazon should be able to update their web servers with ease, the same Apache software is also often integrated into third-party programs, which often can only be updated by their owners. .
Yoran, from Tenable, said organizations need to assume they’ve been compromised and act quickly.
The first obvious signs that the vulnerability was being exploited were in Minecraft, a popular online game with children and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users are already using it to run programs on other users’ computers by pasting a short message into a chat box.
Microsoft said it has released a software update for Minecraft users. “Customers who apply the fix are protected,” he said.
Researchers reported finding evidence that the vulnerability could be exploited on servers managed by companies such as Apple, Amazon, Twitter, and Cloudflare.
Sullivan of Cloudflare said there was no indication that his company’s servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.