'The internet's on fire' as techs race to fix software flaw

Computer security experts around the world are racing to patch one of the worst software vulnerabilities discovered in years

Via AP news wire
Friday 10 December 2021 23:15
Cybersecurity Java Vulnerability
Cybersecurity Java Vulnerability

A software vulnerability exploited in the online game Minecraft is rapidly emerging as a major threat to internet-connected devices around the world.

“The internet’s on fire right now," said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. "People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it." He said Friday morning that in the 12 hours since the bug's existence was disclosed that it had been "fully weaponized,” meaning that malefactors have developed and distributed tools to exploit.

The flaw may be the worst computer vulnerability discovered in years. It opens a loophole in software code that is ubiquitous in cloud servers and enterprise software used across industry and government. It could allow criminals or spies to loot valuable data, plant malware or erase crucial information, and much more.

“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.

Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.

The vulnerability, dubbed ‘Log4Shell,’ was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software,

New Zealand s computer emergency response team was among the first to report that the flawwas being “actively exploited in the wild" just hours after it was publicly reported Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was discovered Nov. 24 by the Chinese tech giant Alibaba the foundation said.

Finding and patching the software could be a complicated task. While most organizations and cloud providers should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

Yoran, of Tenable, said organizations need to presume they’ve been compromised and act quickly.

The flaw's exploitation was apparently first discovered in Minecraft, an online game hugely popular with kids and owned by Microsoft

Meyers and security expert Marcus Hutchins said Minecraft users had already been using it to execute programs on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued a software update for Minecraft users. “Customers who apply the fix are protected,” it said.

Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Cloudflare's Sullivan said there we no indication his company's servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in