It has certainly been a while since we’ve had a nasty bug making enough of a stink that it warrants being the subject of one of our weekly blog posts, but here we are again. The good thing has always been that these software vulnerabilities are usually quite limited in the scope of what they’re capable of, and that means they usually don’t get much fanfare and they’re also usually fairly easily dealt with via patches and the like.
The problem becomes when the bug is rooting in software that is ubiquitous as far as being used in cloud serves and enterprise software used as much for government as it is in industry. That’s the scenario with the new Log4Shell Software Vulnerability that has the Internet ‘On Fire’ according to those who are qualified to determine whether something is on fire or not. All joking aside, this is apparently a critical vulnerability in a widely used software tool, and – interestingly enough - one that was quickly exploited in Minecraft.
But now it emerging as a serious threat to organizations around the world, and here at 4GoodHosting like most quality Canadian web hosting providers we like to keep our people in the know when it comes to anything that’s so far-reaching it might apply to a good number of them.
Quick to be Weaponized
Cybersecurity firm Crowdstrike is as good as any for staying well on top of these things, and reading what they have to say about Log4Shell is that within 12 hours of the bug announcing itself it’s been fully weaponized. That means that tools have been developed and distributed for the purpose of exploiting it. Apparently all sorts of people are scrambling to patch, but just as many are scrambling to exploit.
It’s believed this software flaw may be the worst computer vulnerability to come along in years. As hinted at, it was discovered in a utility that’s ubiquitous in cloud servers and enterprise software used across industry and government. If allowed to continue unchecked it has the potential to enable criminals, spies, pimps and programming novices alike for no-hassle access to internal networks.
Once in they can loot valuable data, place malware, wipe out crucial information or do a whole lot of other types of damage. And it seems to be that many different kinds of companies could be at risk because their servers have this utility installed in them and we’re still in the early stages of fallout with this.
Cybersecurity firm Tenable goes one step further in describing it as ‘the single biggest, most critical vulnerability of the last decade’ and maybe even the biggest one in the history of modern computing.
10 / 10 Cause for Alarm
We also have Log4Shell being given a 10 on a scale of 1 to 10 for cause for alarm the Apache Software Foundation, which oversees development of the software. The problem is that anyone with the exploit can obtain full access to an unpatched computer that uses the software, and specifically said the extreme ease the attacker has with accessing a web server through the viability and without a password is what makes it such a major threat.
A computer emergency response team in New Zealand was the first to report of the flaw being actively exploited in the wild just hours after the first patch was released in response to it. This was weeks ago now, and the hugely popular online game Minecraft was where the first obvious signs of the flaw’s exploitation were seen, and the fact the game is owned by Microsoft shouldn’t be overlooked.
It’s been reported at the same time that Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box. Apparently a software update form game users followed shortly after and customers who apply the fix are protected. But the ‘fire’ isn’t contained by any means - researchers reported finding evidence the vulnerability may also be exploited in servers operated by companies like Apple, Amazon, Twitter and Cloudflare.
