A critical vulnerability in a widely used software tool – one quickly exploited in online gaming Minecraft – is rapidly becoming a major threat to businesses around the world.
“The internet is on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike. “People are scrambling for patches,” he said, “and all kinds of people are trying to take advantage of it.” He said Friday morning that in the 12 hours since the bug was posted, the bug was “fully weapons grade,” meaning that malefactors had developed and distributed tools to exploit it.
The bug could be the worst computer vulnerability discovered in years. It was discovered in a utility that is ubiquitous in cloud servers and enterprise software used in industry and government.
If left unchecked, it gives criminals, spies, and novice programmers alike easy access to internal networks where they loot valuable data, install malware, delete critical information, and much more.
* Why Minecraft is a major threat to global internet connected devices
* Microsoft is pushing rivals out of the CES marquee as the show goes online
* US National Security Agency finds vulnerability in Microsoft’s Windows 10, free fix released
* The tech industry isn’t waiting for us to catch up
“I have a hard time imagining a company that isn’t at risk,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors. Countless millions of servers have it installed, and experts said the fallout wouldn’t be known for several days.
Amit Yoran, CEO of cybersecurity company Tenable, called it “the biggest and most critical vulnerability of the last decade” – and possibly the biggest in the history of the modern computer.
The vulnerability, called “Log4Shell”, was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees the development of the software. Anyone with the exploit can have full access to an unpatched computer using the software.
Experts say the vulnerability allowed an attacker to access a web server without requiring a password, which is what makes it so dangerous.
The New Zealand computer emergency team was among the first to report the bug was “actively exploited in the wild” just hours after it was publicly reported and a patch was released on Thursday.
The vulnerability, which resides in open source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.
However, patching systems around the world can be a complicated task. While most organizations and cloud providers like Amazon should be able to easily update their web servers, often the same Apache software is also embedded in third-party programs that often can only be updated by their owners.
Tenable’s Yoran said businesses need to assume they’ve been compromised and act quickly.
The first obvious signs of the bug being exploited appeared in Minecraft, an online game very popular with children and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users would already be using it to run programs on other users’ computers by pasting a short message in a chat box.
Microsoft said it has released a software update for Minecraft users. “Customers who apply the fix are protected,” it said.
Researchers reported that they found evidence that the vulnerability could be exploited in servers owned by companies such as Apple, Amazon, Twitter, and Cloudflare.
Cloudflare’s Sullivan said there was no evidence of his company’s servers being compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.