World scrambles to fix Log4Shell bug, ‘biggest, most critical’ software flaw exploited by Minecraft users
- Cybersecurity specialists said ‘Log4Shell’ had been ‘fully weaponised’ and was possibly ‘the single biggest, most critical vulnerability’ in modern computing
- The first obvious signs of the flaw’s exploitation appeared in online game Minecraft, but untold millions of servers across industry and government are at risk
A critical vulnerability in a widely used software tool – one quickly exploited in the online game Minecraft – is rapidly emerging as a major threat to organisations around the world.
“The internet’s on fire right now,” said Adam Meyers, senior vice-president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch,” he said, “and all kinds of people scrambling to exploit it.” He said on Friday morning that in the 12 hours since the bug’s existence was disclosed that it had been “fully weaponised”, meaning malefactors had developed and distributed tools to exploit it.
The flaw may be the worst computer vulnerability discovered in years. It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across industry and government. Unless it is fixed, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.
“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.
Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” – and possibly the biggest in the history of modern computing.
The vulnerability, dubbed “Log4Shell”, was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software,