A critical vulnerability in a widely used software tool — one quickly exploited in the online game Minecraft — is rapidly emerging as a major threat to organizations around the world.
“The Internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike.
“People are scrambling to patch, and all kinds of people scrambling to exploit it,” he said.
Photo: AP
On Friday morning, Meyers said that in the 12 hours since the bug’s existence was disclosed that it had been “fully weaponized,” meaning malefactors had developed and distributed tools to exploit it.
The flaw could be the worst computer vulnerability discovered in years. It was uncovered in a utility that is ubiquitous in cloud servers and enterprise software used across industry and government.
Unless it is fixed, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.
“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects Web sites from malicious actors.
Millions of servers have it installed, and experts said the fallout would not be known for several days.
Amit Yoran, chief executive of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.
The vulnerability, dubbed “Log4Shell,” was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software,
Experts said the extreme ease with which the vulnerability lets an attacker access a Web server — no password required — is what makes it so dangerous.
The vulnerability, located in open-source Apache software used to run Web sites and other Web services, was reported to the foundation on Nov. 24 by Chinese tech giant Alibaba, it said.
It took two weeks to develop and release a fix.
However, patching systems could be a complicated task. While most organizations and cloud providers such as Amazon should be able to update their Web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.
Yoran said organizations need to presume they have been compromised and act quickly.
The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.
Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.
Microsoft said it had issued an update for Minecraft users.
‘TERRORIST ATTACK’: The convoy of Brigadier General Hamdi Shukri resulted in the ‘martyrdom of five of our armed forces,’ the Presidential Leadership Council said A blast targeting the convoy of a Saudi Arabian-backed armed group killed five in Yemen’s southern city of Aden and injured the commander of the government-allied unit, officials said on Wednesday. “The treacherous terrorist attack targeting the convoy of Brigadier General Hamdi Shukri, commander of the Second Giants Brigade, resulted in the martyrdom of five of our armed forces heroes and the injury of three others,” Yemen’s Saudi Arabia-backed Presidential Leadership Council said in a statement published by Yemeni news agency Saba. A security source told reporters that a car bomb on the side of the road in the Ja’awla area in
‘SHOCK TACTIC’: The dismissal of Yang mirrors past cases such as Jang Song-thaek, Kim’s uncle, who was executed after being accused of plotting to overthrow his nephew North Korean leader Kim Jong-un has fired his vice premier, compared him to a goat and railed against “incompetent” officials, state media reported yesterday, in a rare and very public broadside against apparatchiks at the opening of a critical factory. Vice Premier Yang Sung-ho was sacked “on the spot,” the state-run Korean Central News Agency said, in a speech in which Kim attacked “irresponsible, rude and incompetent leading officials.” “Please, comrade vice premier, resign by yourself when you can do it on your own before it is too late,” Kim reportedly said. “He is ineligible for an important duty. Put simply, it was
SCAM CLAMPDOWN: About 130 South Korean scam suspects have been sent home since October last year, and 60 more are still waiting for repatriation Dozens of South Koreans allegedly involved in online scams in Cambodia were yesterday returned to South Korea to face investigations in what was the largest group repatriation of Korean criminal suspects from abroad. The 73 South Korean suspects allegedly scammed fellow Koreans out of 48.6 billion won (US$33 million), South Korea said. Upon arrival in South Korea’s Incheon International Airport aboard a chartered plane, the suspects — 65 men and eight women — were sent to police stations. Local TV footage showed the suspects, in handcuffs and wearing masks, being escorted by police officers and boarding buses. They were among about 260 South
A former flight attendant for a Canadian airline posed as a commercial pilot and as a current flight attendant to obtain hundreds of free flights from US airlines, authorities said on Tuesday. Dallas Pokornik, 33, of Toronto, was arrested in Panama after being indicted on wire fraud charges in US federal court in Hawaii in October last year. He pleaded not guilty on Tuesday following his extradition to the US. Pokornik was a flight attendant for a Toronto-based airline from 2017 to 2019, then used fake employee identification from that carrier to obtain tickets reserved for pilots and flight attendants on three other
RSS