“The Internet is on fire right now. People are scrambling to fix it, and all kinds of people are scrambling to exploit it,” said Adam Myers, senior vice president of intelligence at cybersecurity firm Crowdstrike. That morning, within the 12 hours since the bug was revealed, it had been “fully armed,” meaning criminals had developed and distributed tools to exploit it.
The flaw might be the worst security vulnerability discovered in years. It is disclosed in a ubiquitous tool in cloud servers and enterprise software used across industry and government. Unless it’s fixed, it gives criminals, spies and programming novices alike easy access to intranets where they can loot valuable data, plant malware, erase important information, and more.
“I would be hard pressed to think of a company that is not at risk,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors. It has installed untold millions of servers, and experts said the repercussions will not be known for several days.
Amit Yoran, CEO of cybersecurity firm Tenable, called it “the single biggest and most severe vulnerability of the past decade” – and perhaps the largest in the history of modern computing.
The vulnerability, dubbed “Log4Shell,” was ranked 10th on a scale of one to 10 by the Apache Software Foundation, which oversees development of the program. Anyone with the exploit could gain full access to an unpatched computer using the software.
Discover the stories that interest you
The sheer ease with which the vulnerability allows an attacker to gain access to a web server – without the need for a password – is what makes it so dangerous, experts said.
New Zealand’s Computer Emergency Response Team was among the first to report “actively exploiting the vulnerability in the wild” just hours after it was publicly announced on Thursday and a patch was issued.
Chinese technology giant Alibaba said it notified the foundation on November 24 of the vulnerability in open source Apache software used to run websites and other web services. It took two weeks to develop and release the fix.
But correction systems around the world can be a complex task. While most organizations and cloud providers like Amazon should be able to easily update their web servers, the Apache software itself is often built into third-party software, which often can only be updated by the owners.
Joran, of Tenable, said organizations need to assume they have been compromised and act quickly.
The first clear signs of exploiting the bug appeared in Minecraft, an online game popular with children owned by Microsoft. Myers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on other users’ computers by pasting a short message into the chat box.
Microsoft said it has released a software update for Minecraft users. “Customers who implement the reform are protected,” she said.
Researchers report finding evidence that the vulnerability can be exploited in servers operated by companies such as Apple, Amazon, Twitter and Cloudflare.
Cloudflare’s Sullivan said we have no indication that his company’s servers have been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.