The critical Log4J vulnerability that has “set the Internet on fire” explained.
Developers are racing to apply a patch to fix one of most critical software vulnerabilities of the last decade.
If you have your ear to the ground in cybersecurity circles, or even if you don’t, you’re probably aware that there is a rather serious cybersecurity exploit making headlines around the world.
And yes, this one is serious. As in seriously serious. But unless you happen to be a software developer, or you’re responsible for ensuring your business’s networks, servers and apps are both secure and exploit-free – there isn’t a great deal you can do for now. Except, perhaps, send your best wishes to anyone that does so happen to work in those fields. (You should also be updating any software you use, but of course you should be doing that anyway, right?)
So, what’s happened?
Basically, this all started last month when a security flaw was found in some open-source software known as Log4J. Now, security flaws are found all the time, but this one is particularly bad, for several reasons.
Namely –
1. This security flaw is really easy to exploit. You don’t need to be part of a cutting-edge hacking collective to be able to exploit this.
2. It’s a serious flaw that can result in attackers doing all sorts of damage, including malware installs or data theft to anyone who uses the affected software.
3. The software affected, Log4J, is extremely, extremely popular, used by millions of businesses, apps and games around the globe. This includes Microsoft’s Minecraft, Steam, iCloud and Amazon Web Services (which in turn are used by millions of businesses.)
4. The bad guys found this flaw first. Any regular reader will know that’s what we called a zero-day exploit.
5. And because the bad guys found it first, many have already created automated tools designed to scan for businesses using the affected software and then to try and attack them.
To condense the above five points, it’s the Internet’s worst nightmare. One security researcher dubbed it the “most serious flaw of the last decade.” One security company claimed the “Internet is on fire”. It’s also had the US’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) (among others) posting advisories about the critical nature of this vulnerability.
Perhaps the only saving grace here is that a security fix was developed before knowledge of the vulnerability became widespread. But last week, public knowledge did indeed become widespread. Meaning now the race is on to remedy any server, app, website and network that could be affected.
Sponsored Content. Continued below...
What is Log4J
We won’t get too technical here, but to say that Log4J is a tool used by software developers and apps to log error messages when they occur, in order to help developers identify errors and debug their tools and services.
It’s open-source, which means it can be used by anyone with the relevant know-how. It’s written in a programming language called Java, and it’s maintained by an organisation called the Apache Software Foundation.
But what’s most important to know is that it is used by millions around the Internet.
How does the exploit work?
Again, we’re not going to get overly technical here, but its down to a common type of exploit that whereby attackers can enter specially-crafted data into the software with the intention of “breaking” that software.
You see, lots of software need users to enter data into it. Think of Google, for example. Google isn’t much good if it doesn’t let the user enter any data into it. However, when software allows a user to enter data into it, in some circumstances that data can be specially crafted by an attacker to make the software break, and this can potentially be exploited by attackers.
Sponsored Content. Continued below...
What’s going on now?
An updated version of Log4J has already been released which fixes the vulnerability, but this is only a small part of the solution. The biggest challenge is getting the countless businesses, organisations and entities that use Log4J to apply the patch, which isn’t always easy.
So behind the scenes, server administrators everywhere around the globe are installing this updated version of Log4J and attempting to get their own users to update as well.
What should I be doing?
Update when you can.
Of course, this is standard security advice we hope everyone should be following anyway. The security patch is being “trickled” down the Internet, all the way down to home users. So always make sure the software you use (especially iCloud, Twitter, Minecraft) is up-to-date to ensure you’re not vulnerable to this flaw.
It’s too early to tell how costly this is going to be for businesses and how successful the crooks have been at exploiting this vulnerability, but what we do know is that this is one of the largest and most serious vulnerabilities ever found in cyberspace, and the next few days and weeks will be critical in terms of mitigating this threat.