Hackers are attempting to exploit a critical, zero-day vulnerability hundreds of thousands of times. The flaw is known as Log4j, with security experts scrambling to stop the threat in its tracks. The critical issues was discovered in Log4j, which is a Java library used for recording error messages in applications, and any device that uses versions 2.0 to 2.14.1 and connects to the internet is exposed to this.
A wide variety of popular devices and products use Log4j, such as the Java version of hugely popular game Minecraft. PC gaming service Steam also uses Log4j, as does Apple’s iCloud service, which iPhone, iPad, and Mac owners rely upon to store crucial data – like settings data, photos, documents and more – in the cloud.
The Log4j vulnerability can be exploited to steal sensitive information such as usernames and passwords as well as installing dangerous malware on affected devices.
Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said the Log4j flaw poses a “severe risk” to the entire internet. Easterly said: “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.”
The way hackers have been exploiting the Log4j flaw varies depending on the programme being targeted. With the Java version of Minecraft, there have been reports the flaw was exploited via the game’s chat box.
Thankfully, a fix for this flaw is available in version 2.15.0 of Log4j. And hundreds of thousands of IT teams around the world are trying to update their systems accordingly.
The problem is it can take time for these updates to be applied across the board, so it might be months until everyone is safe once again.
Underlining the high-stakes of the situation, Adam Meyers – from cybersecurity firm Crowdstrike – said: “The internet’s on fire right now. People are scrambling to patch, and all kinds of people scrambling to exploit it.”
While Joe Sullivan, chief security officer for Cloudflare, said: “I’d be hard-pressed to think of a company that’s not at risk”.
And Amit Yora, the CEO of Tenable, labelled the Log4j flaw as the “single biggest, most critical vulnerability of the last decade”.
To stay safe, keep an eye out for any updates that could be push out for the OS’s and services you use in the coming days, weeks and months. For the Java Edition of Minecraft, Microsoft has pushed out the 1.18 update which will help keeps users safe from the flaw.
Published at Mon, 13 Dec 2021 17:57:31 +0000