Current:Home > ScamsSecurity experts race to fix critical software flaw threatening industries worldwide-DB Wealth Institute B2 Expert Reviews
Security experts race to fix critical software flaw threatening industries worldwide
View Date:2024-12-23 23:58:39
BOSTON — A critical vulnerability in a widely used software tool — one quickly exploited in the online game Minecraft — is rapidly emerging as a major threat to organizations around the world.
"The internet's on fire right now," said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. "People are scrambling to patch," he said, "and all kinds of people scrambling to exploit it." He said Friday morning that in the 12 hours since the bug's existence was disclosed that it had been "fully weaponized," meaning malefactors had developed and distributed tools to exploit it.
The flaw may be the worst computer vulnerability discovered in years. It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across industry and government. Unless it is fixed, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.
"I'd be hard-pressed to think of a company that's not at risk," said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.
Amit Yoran, CEO of the cybersecurity firm Tenable, called it "the single biggest, most critical vulnerability of the last decade" — and possibly the biggest in the history of modern computing.
The vulnerability, dubbed "Log4Shell," was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software,
Experts said the extreme ease with which the vulnerability lets an attacker access a web server — no password required — is what makes it so dangerous.
New Zealand's computer emergency response team was among the first to report that the flaw was being "actively exploited in the wild" just hours after it was publicly reported Thursday and a patch released.
The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.
But patching systems around the world could be a complicated task. While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.
Yoran, of Tenable, said organizations need to presume they've been compromised and act quickly.
The first obvious signs of the flaw's exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.
Microsoft said it had issued a software update for Minecraft users. "Customers who apply the fix are protected," it said.
Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.
Cloudflare's Sullivan said there we no indication his company's servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.
veryGood! (156)
Related
- 10 Trendy Bags To Bring to All of Your Holiday Plans
- 5 Marines aboard helicopter that crashed outside San Diego confirmed dead
- 5 missing Marines found dead after helicopter crash in California, officials say
- Gov. Shapiro seeks school-funding boost to help poorer districts, but Republicans remain wary
- Georgia House Democrats shift toward new leaders after limited election gains
- 2024 NBA trade deadline predictions: Sixers, Lakers make moves; Warriors stick it out
- AI-generated voices in robocalls can deceive voters. The FCC just made them illegal
- New Hampshire Senate votes to move state primary from September to June. The House wants August
- Tesla Cybertruck modifications upgrade EV to a sci-fi police vehicle
- Jets owner Woody Johnson throws shade at Zach Wilson: 'Didn't have' backup QB last season
Ranking
- Gavin Rossdale Makes Rare Public Appearance With Girlfriend Xhoana Xheneti
- Elon Musk is synonymous with Tesla. Is that good or bad for shareholders?
- Louisiana’s GOP governor plans to deploy 150 National Guard members to US-Mexico border
- Paul Giamatti says Cher 'really needs to talk to' him, doesn't know why: 'It's killing me'
- Katherine Schwarzenegger Gives Birth, Welcomes Baby No. 3 With Chris Pratt
- 29 Early President's Day Sales You Can Shop Right Now, From Le Creuset, Therabody, Pottery Barn & More
- Sam Darnold finally found his place – as backup QB with key role in 49ers' Super Bowl run
- We know about Kristin Juszczyk's clothing line. Why don't we know about Kiya Tomlin's?
Recommendation
-
Trump announces Tom Homan, former director of immigration enforcement, will serve as ‘border czar’
-
Texas man sentenced to 180 days in jail for drugging wife’s drinks to induce an abortion
-
EPA Reports “Widespread Noncompliance” With the Nation’s First Regulations on Toxic Coal Ash
-
Caitlin Clark, Iowa upend Penn State: Clark needs 39 points for women's record
-
12 college students charged with hate crimes after assault in Maryland
-
Jellyfish with bright red cross found in remote deep-sea volcanic structure
-
Kick Off Super Bowl 2024 With a Look at the Kansas City Chiefs and San Francisco 49ers' Star-Studded Fans
-
Is Bigfoot real? A new book dives deep into the legend