âThe internet is on fire right now,â said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike.
“People are scrambling to patch and all kinds of people are scrambling to exploit it.”
He said Friday morning within 12 hours of disclosing the bug, it had been “fully militarized,” meaning criminals had developed and distributed tools to exploit it.
The flaw may be the worst IT vulnerability discovered in years.
It was discovered in an open source logging tool that is ubiquitous in cloud servers and enterprise software used in industry and government.
Unless it is fixed, it gives criminals, spies and programming novices easy access to internal networks where they can loot valuable data, implant malware, erase crucial information and much more.
“I would be hard pressed to think of a company that is completely risk free,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors.
Millions of servers installed it, and experts said the fallout would not be known for several days.
Amit Yoran, CEO of cybersecurity firm Tenable, called it “the biggest and most critical vulnerability of the past decade” – and perhaps the biggest in the history of modern computing.
The vulnerability, nicknamed “Log4Shell”, was rated 10 on a scale of 1 to 10 by the Apache Software Foundation, which oversees the development of the software.
Anyone with the exploit can gain full access to an unpatched computer that is using the software.
Experts have said that the extreme ease with which the vulnerability allows an attacker to access a web server – no password required – is what makes it so dangerous.
The New Zealand Computer Emergency Response Team was among the first to report that the vulnerability was “actively exploited in the wild” just hours after it was released on Thursday and a patch was released.
The vulnerability, located in the open source Apache software used to run websites and other web services, was reported to the foundation on November 24 by Chinese tech giant Alibaba, he said.
It took two weeks to develop and release a fix.
But fixing systems around the world could be a complicated task.
While most organizations and cloud providers like Amazon should be able to update their web servers with ease, the same Apache software is also often integrated into third-party programs, which often can only be updated by their owners. .
Why you should be concerned if “Thomas Flynn” contacts you
Yoran, from Tenable, said organizations need to assume they’ve been compromised and act quickly.
The first obvious signs that the vulnerability was being exploited were in Minecraft, a popular online game with children and owned by Microsoft.
Meyers and security expert Marcus Hutchins said Minecraft users are already using it to run programs on other users’ computers by pasting a short message into a chat box.
Microsoft said it has released a software update for Minecraft users.
âCustomers who apply the fix are protected,â he said.
Researchers reported finding evidence that the vulnerability could be exploited on servers managed by companies such as Apple, Amazon, Twitter, and Cloudflare.
Sullivan of Cloudflare said there was no indication that his company’s servers had been compromised.
Apple, Amazon and Twitter did not immediately respond to requests for comment.