Cybersecurity experts have raised the alarm about a previously unknown critical flaw in a commonly used software tool that could potentially allow hackers to compromise millions of devices connected to the internet.
The fault, known as ‘Log4Shell’, has been described as the “single biggest, most critical vulnerability of the last decade” – which puts it in the running for a place among the biggest glitches in modern computing history. Researchers have warned that the flaw affects servers run by tech giants like Microsoft, Apple, Amazon, and Twitter.
The first indication about the exploit was seen on sites that hosted servers for the hugely popular Microsoft-owned online game Minecraft. Marcus Hutchins, the British security researcher known for halting the WannaCry malware attack, tweeted that apparently some of the game’s users were already using the flaw to remotely run programs on the computers of other users by “simply pasting a short message into a chat box.”
In the case of Minecraft, attackers were able to get remote code execution on Minecraft Servers by simply pasting a a short message into the chat box.
The vulnerability, which is located in ‘log4j’ – an open-source logging tool developed by the Apache Software Foundation – was first reported on November 24 by Chinese tech giant Alibaba. The foundation then rated the severity of the problem at 10 on a scale of one to 10. However, the flaw was only publicly revealed on Thursday.
The logging software is used by Amazon Web Services and other cloud server providers as well as industry and government networks. Logging refers to a process where applications keep a running tab on activities they have performed that can later be reviewed to check for errors. Nearly every network security system uses a logging process, which hints at the scale of the problem.
Noting that hackers had “fully weaponized” the exploit shortly after it was revealed, Adam Meyers – senior vice president of intelligence at cybersecurity firm Crowdstrike – told the AP that the “internet’s on fire right now” as experts raced to patch the flaw while new tools to exploit it were being distributed.
Although a security fix to the log4j tool has been released, Log4Shell will remain a threat during the time it takes to ensure that all vulnerable machines are updated.