A critical vulnerability in a widely used software tool — one quickly exploited in the online game Minecraft — is rapidly emerging as a major threat to organizations around the world.
“The Internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike.
“People are scrambling to patch, and all kinds of people scrambling to exploit it,” he said.
Photo: AP
On Friday morning, Meyers said that in the 12 hours since the bug’s existence was disclosed that it had been “fully weaponized,” meaning malefactors had developed and distributed tools to exploit it.
The flaw could be the worst computer vulnerability discovered in years. It was uncovered in a utility that is ubiquitous in cloud servers and enterprise software used across industry and government.
Unless it is fixed, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.
“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects Web sites from malicious actors.
Millions of servers have it installed, and experts said the fallout would not be known for several days.
Amit Yoran, chief executive of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.
The vulnerability, dubbed “Log4Shell,” was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software,
Experts said the extreme ease with which the vulnerability lets an attacker access a Web server — no password required — is what makes it so dangerous.
The vulnerability, located in open-source Apache software used to run Web sites and other Web services, was reported to the foundation on Nov. 24 by Chinese tech giant Alibaba, it said.
It took two weeks to develop and release a fix.
However, patching systems could be a complicated task. While most organizations and cloud providers such as Amazon should be able to update their Web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.
Yoran said organizations need to presume they have been compromised and act quickly.
The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.
Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.
Microsoft said it had issued an update for Minecraft users.
THE ‘MONSTER’: The Philippines on Saturday sent a vessel to confront a 12,000-tonne Chinese ship that had entered its exclusive economic zone The Philippines yesterday said it deployed a coast guard ship to challenge Chinese patrol boats attempting to “alter the existing status quo” of the disputed South China Sea. Philippine Coast Guard spokesman Commodore Jay Tarriela said Chinese patrol ships had this year come as close as 60 nautical miles (111km) west of the main Philippine island of Luzon. “Their goal is to normalize such deployments, and if these actions go unnoticed and unchallenged, it will enable them to alter the existing status quo,” he said in a statement. He later told reporters that Manila had deployed a coast guard ship to the area
HOLLYWOOD IN TURMOIL: Mandy Moore, Paris Hilton and Cary Elwes lost properties to the flames, while awards events planned for this week have been delayed Fires burning in and around Los Angeles have claimed the homes of numerous celebrities, including Billy Crystal, Mandy Moore and Paris Hilton, and led to sweeping disruptions of entertainment events, while at least five people have died. Three awards ceremonies planned for this weekend have been postponed. Next week’s Oscar nominations have been delayed, while tens of thousands of city residents had been displaced and were awaiting word on whether their homes survived the flames — some of them the city’s most famous denizens. More than 1,900 structures had been destroyed and the number was expected to increase. More than 130,000 people
A group of Uyghur men who were detained in Thailand more than one decade ago said that the Thai government is preparing to deport them to China, alarming activists and family members who say the men are at risk of abuse and torture if they are sent back. Forty-three Uyghur men held in Bangkok made a public appeal to halt what they called an imminent threat of deportation. “We could be imprisoned and we might even lose our lives,” the letter said. “We urgently appeal to all international organizations and countries concerned with human rights to intervene immediately to save us from
RISING TENSIONS: The nations’ three leaders discussed China’s ‘dangerous and unlawful behavior in the South China Sea,’ and agreed on the importance of continued coordination Japan, the Philippines and the US vowed to further deepen cooperation under a trilateral arrangement in the face of rising tensions in Asia’s waters, the three nations said following a call among their leaders. Japanese Prime Minister Shigeru Ishiba, Philippine President Ferdinand Marcos Jr and outgoing US President Joe Biden met via videoconference on Monday morning. Marcos’ communications office said the leaders “agreed to enhance and deepen economic, maritime and technology cooperation.” The call followed a first-of-its-kind summit meeting of Marcos, Biden and then-Japanese prime minister Fumio Kishida in Washington in April last year that led to a vow to uphold international