Software bugs put computer systems around the world at risk and enable cyberattacks


By FRANK BAJAK, author of AP Technology

BOSTON (AP) – A critical vulnerability in a widely used software tool – one that was quickly exploited in the online game Minecraft – is quickly becoming a major threat to businesses around the world.

“The internet is on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike. “People are scrambling for patches,” he said, “and all kinds of people are trying to take advantage of it.” He said Friday morning that in the 12 hours since the bug was posted, the bug was “fully weapons grade,” meaning that malefactors had developed and distributed tools to exploit it.

The bug could be the worst computer vulnerability discovered in years. It was discovered in a utility that is ubiquitous in cloud servers and enterprise software used in industry and government. If left unchecked, it gives criminals, spies, and novice programmers alike easy access to internal networks where they loot valuable data, install malware, delete critical information, and much more.

“I have a hard time imagining a company that isn’t at risk,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors. Countless millions of servers have it installed, and experts said the fallout wouldn’t be known for several days.

Amit Yoran, CEO of cybersecurity company Tenable, called it “the biggest and most critical vulnerability of the last decade” – and possibly the biggest in the history of modern computers.

The vulnerability, called “Log4Shell”, was rated 10 on a scale from one to 10 by the Apache Software Foundation, which monitors the development of the software. Anyone with the exploit can have full access to an unpatched computer using the software.

Experts said the vulnerability allowed an attacker to access a web server without requiring a password, which is what makes it so dangerous.

The vulnerability, which resides in open source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.

However, patching systems around the world can be a complicated task. While most organizations and cloud providers like Amazon should be able to easily update their web servers, often the same Apache software is also embedded in third-party programs that often can only be updated by their owners.

Tenable’s Yoran said businesses need to assume they’ve been compromised and act quickly.

The first obvious signs of exploitation of the bug appeared in Minecraft, an online game very popular with children and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users would already be using it to run programs on other users’ computers by pasting a short message in a chat box.

Microsoft said it has released a software update for Minecraft users. “Customers who apply the fix are protected,” it said.

The researchers reported that they found evidence that the vulnerability could be exploited in servers owned by companies such as Apple, Amazon, Twitter, and Cloudflare.

Cloudflare’s Sullivan said there was no evidence of his company’s servers being compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.

About Willie Ash

Check Also

The new PS5 system software beta adds two of the most requested features by users

A folder of sorts finally hits the PS5 system software later this year. Sony Native …