Security experts around the world rushed on Friday to fix one of the worst computer vulnerabilities discovered in years, a critical flaw in open source code widely used in industry and government in cloud services and software. ‘business.
“I would be hard pressed to think of a company that is completely risk free,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors. Millions of servers installed it, and experts said the fallout would not be known for several days.
The New Zealand IT Emergency Response Team was among the first to report that the flaw in a Java-language utility for Apache servers used to record user activity was “actively exploited in the nature “just hours after it was released on Thursday and a patch was released. .
The vulnerability, nicknamed “Log4Shell”, was rated 10 on a scale of 1 to 10, the worst possible. Anyone wishing to exploit it can gain full access to an unpatched machine.
âThe internet is on fire right now. People are scrambling to patch and there’s script kiddies and all kinds of people scrambling to exploit it, âsaid Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike CRWD,
âFor the past 12 hours he has been fully armed. “
The vulnerability of the Apache Software Foundation module was discovered on November 24 by Chinese technology giant Alibaba BABA,
says the foundation. Meyers expected IT emergency response teams to spend a busy weekend trying to identify all impacted machines. Hunting is complicated by the fact that the affected software can be found in programs provided by third parties.
Exploitation of the flaw was apparently first discovered in Minecraft, a popular online game with children owned by Microsoft MSFT,
Meyers and security expert Marcus Hutchins said Minecraft users have previously used it to run programs on other users’ computers by pasting a short message into a chat box.
Microsoft said it has released a software update for Minecraft users and that “customers who apply the patch are protected.”
Researchers reported finding evidence that the vulnerability could be exploited in servers managed by companies such as Apple AAPL,
and Cloudflare NET,
Sullivan of Cloudflare said there was no indication that his company’s servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.