Critical software bug sets ‘internet on fire’ — Analysis
Cybersecurity professionals raised concerns about an unknown flaw in a common software program that could allow hackers to compromise millions upon millions of internet-connected devices.
The fault, known as ‘Log4Shell’, has been described as the “single biggest, most critical vulnerability of the last decade” – which puts it in the running for a place among the biggest glitches in modern computing history. The flaw is affecting servers owned by tech companies like Microsoft, Apple and Amazon.
First, the exploit was discovered on servers hosting Minecraft’s popular Microsoft-owned online gaming platform. Marcus Hutchins, the British security researcher known for halting the WannaCry malware attack, tweeted that apparently some of the game’s users were already using the flaw to remotely run programs on the computers of other users by “simply pasting a short message into a chat box.”
By simply entering a message in the chat box, an attacker could gain remote code execution for Minecraft Servers.
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
The vulnerability, which is located in ‘log4j’ – an open-source logging tool developed by the Apache Software Foundation – was first reported on November 24 by Chinese tech giant Alibaba. Alibaba, a Chinese tech giant, first reported the vulnerability on November 24th. The Foundation rated it as a 10 on a scale 1-10. The problem was not made public until Thursday.
Amazon Web Services, as well as other cloud servers providers and industry networks use the logging software. Logging is a way for applications to keep track of the activities that they’ve performed. Later, logs can be viewed to identify any errors. Nearly every network security system has a log process. This is a sign of how serious the problem really is.
Note that hackers have “fully weaponized” the exploit shortly after it was revealed, Adam Meyers – senior vice president of intelligence at cybersecurity firm Crowdstrike – told the AP that the “internet’s on fire right now”Experts raced for the fix while new tools were distributed to exploit it.
Log4Shell is still a threat, even though a security patch has been made to log4j.