Global race to fix a critical computer bug


BOSTON (AP) – Security experts around the world rushed on Friday to fix one of the worst computer vulnerabilities discovered in years, a critical flaw in open source code widely used in industry and government in services cloud and enterprise software.

“I would be hard pressed to think of a company that is completely risk free,” said Joe Sullivan, chief security officer of Cloudflare, whose online infrastructure protects websites from malicious actors. Millions of servers installed it, and experts said the fallout would not be known for several days.

The New Zealand IT Emergency Response Team was among the first to report that the flaw in a Java-language utility for Apache servers used to record user activity was “actively exploited in the nature ”just hours after it was released on Thursday and a patch was released. .

The vulnerability, nicknamed “Log4Shell”, was rated 10 on a scale of 1 to 10, the worst possible. Anyone with the exploit can gain full access to an unpatched machine.

“The internet is on fire right now. People are scrambling to patch and there’s script kiddies and all kinds of people scrambling to exploit it, ”said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike. “For the past 12 hours he has been fully armed. “

The vulnerability of the Apache Software Foundation module was discovered on Nov. 24 by Chinese tech giant Alibaba, the foundation said. Meyers expected IT emergency response teams to spend a busy weekend trying to identify all impacted machines. Hunting is complicated by the fact that the affected software can be found in programs provided by third parties.

Exploitation of the flaw was apparently first discovered in Minecraft, a popular online game with children and owned by Microsoft.

Meyers and security expert Marcus Hutchins said Minecraft users have previously used it to run programs on other users’ computers by pasting a short message into a chat box.

Microsoft said it has released a software update for Minecraft users and that “customers who apply the patch are protected.”

Researchers reported finding evidence that the vulnerability could be exploited on servers managed by companies such as Apple, Amazon, Twitter, and Cloudflare.

Sullivan of Cloudflare said there was no indication that his company’s servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.


Comments are closed.