“The internet's on fire right now," said Adam Meyers,
senior vice president of intelligence at the cybersecurity firm Crowdstrike.
“People are scrambling to patch,” he said, "and all kinds of people
scrambling to exploit it." He said Friday morning that in the 12 hours
since the bug's existence was disclosed that it had been "fully
weaponized,” meaning malefactors had developed and distributed tools to exploit
it.
The flaw may be the worst computer vulnerability discovered
in years. It was uncovered in an open-source logging tool that is ubiquitous in
cloud servers and enterprise software used across industry and government.
Unless it is fixed, it grants criminals, spies, and programming novices alike
easy access to internal networks where they can loot valuable data, plant
malware, erase crucial information and much more.
“I'd be hard-pressed to think of a company that's not at
risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online
infrastructure protects websites from malicious actors. Untold millions of
servers have it installed, and experts said the fallout would not be known for
several days.
Amit Yoran, CEO of the cybersecurity firm Tenable, called it
“the single biggest, most critical vulnerability of the last decade” — and
possibly the biggest in the history of modern computing.
The vulnerability, dubbed ‘Log4Shell,' was rated 10 on a
scale of one to 10 the Apache Software Foundation, which oversees development
of the software. Anyone with the exploit can obtain full access to an unpatched
computer that uses the software.
Experts said the extreme ease with which the vulnerability
lets an attacker access a web server — no password required — is what makes it
so dangerous.
New Zealand's computer emergency response team was among the
first to report that the flaw was being “actively exploited in the wild"
just hours after it was publicly reported Thursday and a patch released.
The vulnerability, located in open-source Apache software
used to run websites and other web services, was reported to the foundation on
November 24 by the Chinese tech giant Alibaba, it said. It took two weeks to
develop and release a fix.
But patching systems around the world could be a complicated
task. While most organizations and cloud providers such as Amazon should be
able to update their web servers easily, the same Apache software is also often
embedded in third-party programs, which often can only be updated by their
owners.
Yoran, of Tenable, said organizations need to presume
they've been compromised and act quickly.
The first obvious signs of the flaw's exploitation appeared
in Minecraft, an online game hugely popular with kids and owned by Microsoft.
Meyers and security expert Marcus Hutchins said Minecraft users were already
using it to execute programs on the computers of other users by pasting a short
message in a chat box.
Microsoft said it had issued a software update for Minecraft
users. “Customers who apply the fix are protected,” it said.
Researchers reported finding evidence the vulnerability
could be exploited in servers run by companies such as Apple, Amazon, Twitter,
and Cloudflare.
Cloudflare's Sullivan said there we no indication his
company's servers had been compromised. Apple, Amazon, and Twitter did not
immediately respond to requests for comment.
0 comments:
Post a Comment